The Department of Veterans Affairs headquarters building as seen in Washington, D.C., on July 6, 2022.

The Department of Veterans Affairs headquarters building as seen in Washington, D.C., on July 6, 2022. (Carlos Bongioanni/Stars and Stripes)

WASHINGTON — A Department of Veterans Affairs account with Microsoft was infiltrated earlier this year by Russian hackers, though the agency reported no personal information or other sensitive data of any veterans was accessed.

Hackers gained access in January to Microsoft Azure Government, a cloud computing service that delivers servers, storage, databases, networking and software that the VA and other federal agencies use across the internet, according to the VA.

“After investigating the matter, we determined that no patient data was compromised,” Terrence Hayes, the VA press secretary, said Monday. “We are continuing to look into this matter with Microsoft to ensure that all veteran patient data remains protected and that we are not compromised in the future.”

Hayes said the VA’s cloud account with Microsoft was “accessed for just one second, presumably to see if the credentials worked.”

Microsoft said Monday that it is assisting with mitigation efforts after notifying customers whose account information might have been exposed in the breach.

The company did not respond directly to the hack at the VA but said it has no evidence that “Microsoft-hosted, customer-facing systems” were compromised.

Microsoft alerted the VA in March to the cybersecurity attack, which also included breaches at the Peace Corps and the U.S. Agency for Global Media, an independent news organization of the federal government that includes Voice of America, Radio Free Europe and Free Asia.

“These actions were determined to be part of the broader Midnight Blizzard compromise within the Microsoft corporate environment on or about January 2024,” Hayes said.

The company blamed a Russian state-sponsored group known as Midnight Blizzard, or Nobelium, for the attack. An investigation is underway by the Department of Homeland Security.

“Microsoft’s security team detected a nation-state attack on our corporate systems on Jan. 12, 2024, and immediately activated our response process to investigate, disrupt malicious activity, mitigate the attack and deny the threat actor further access,” Microsoft said in a blog post published Jan. 19.

The group initially targeted Microsoft corporate email accounts, including members of the senior leadership team, for information shared with the company’s clients, according to Microsoft.

“The attack was not the result of a vulnerability in Microsoft products or services,” Microsoft said.

The blog post did not identify the VA or other Microsoft clients that were the target of the attacks.

Microsoft said Midnight Blizzard engaged in what is known as a password spray attack to access accounts.

A spray attack involves a repeated process of using simple, predictable passwords to access email accounts without the user’s knowledge or consent.

VA credentials were used to access an agency testing environment for new web applications before they are released to users, the VA said. Veteran data is not part of the testing environment.

“VA found that Midnight Blizzard used a single set of stolen credentials to access a Microsoft cloud test environment around January,” Hayes said.

The VA has determined no additional credentials or sensitive email were taken, he said. Usernames and passwords to log in to cloud accounts were changed.

“VA changed the exposed credentials, along with log-in details across their Microsoft environments,” Hayes said. “Additionally, after reviewing the emails that the hackers accessed, the VA determined that no additional credentials or sensitive email were taken.”

The VA is working with Microsoft and authorities as the investigation continues, he said.

Hayes said the attack was unrelated to another breach that the VA disclosed in April involving a commercial vendor that processes health care payments for the VA.

“That previous breach was a result of an attack that impacted much of the United States health care system, including potentially VA,” he said.

Change Healthcare, the nation’s largest payment processor for health care services, was the victim of a cyberattack by unidentified malicious actors, according to United HealthGroup, parent company of Change Healthcare.

Fifteen million veterans were notified their private health care information could have been compromised in the attack, the VA disclosed at the time.

author picture
Linda F. Hersey is a veterans reporter based in Washington, D.C. She previously covered the Navy and Marine Corps at Inside Washington Publishers. She also was a government reporter at the Fairbanks Daily News-Miner in Alaska, where she reported on the military, economy and congressional delegation.

Sign Up for Daily Headlines

Sign up to receive a daily email of today's top military news stories from Stars and Stripes and top news outlets from around the world.

Sign Up Now