back to article Microsoft breach allowed Russian spies to steal emails from US government

The US government's Cybersecurity and Infrastructure Security Agency (CISA) warns that Russian spies who gained access to Microsoft's email system were able to steal sensitive data, including authentication details and that immediate remedial action is required by affected agencies. In an Emergency Directive dated April 2 but …

  1. NoneSuch Silver badge
    Thumb Up

    Coming soon.

    "Here's an email with the new master password..."

  2. Doctor Syntax Silver badge

    Does the saying "good enough for government work" apply here and ordinary businesses can expect better? Or does government get the most secure service available?

    1. This post has been deleted by its author

      1. ghp

        Your arrival on this planet must be from a very recent date, I presume?

      2. Evil Auditor Silver badge

        You forgot the irony tag?

      3. doublerot13

        Private software / servers is kinda like security through obscurity - both work amazingly, right up to the moment they fail.

        You're also denying the security auditing and updates of open source.

    2. PeterM42

      If it's Microsoft..... can't expect it to be SECURE, surely?

      1. Michael Wojcik Silver badge

        Re: If it's Microsoft.....

        While this in no way excuses Microsoft for what was a series of really quite shameful blunders, no one who understands security should "expect [anything] to be SECURE". Security is not an absolute; there is no such thing as a "secure system" in an absolute sense. Security is relative and represents the degree to which a system resists each of the attacks available under a given threat model.

        And it's not possible to have a universal threat model, even with complete information, which you never have.

        Any time you think "X is secure", you're already in error.

  3. elsergiovolador Silver badge


    Well, Microsoft is happy to hire Russians even at executive levels, so...

    Yes, they may not support Putin and genocide... until Russia gets hold of their family or assets that are still in Russia.

    1. Anonymous Coward
      Anonymous Coward

      Re: Duck

      Sadly this is why we had to drop Kaspersky, the company/product is great, but if putin says do X or he will torture/kill their family, everyone knows he will.

  4. Anonymous Coward
    Anonymous Coward

    Attack of the Russian cyber spies

    The US Cybersecurity and Infrastructure Security Agency (CISA) warns that Russian spies .. were able to steal sensitive data

    Very careless of the FBS, allowing the hack to be traced back to an I.P address registered to Yauzskaya St /s

    Was it wise running federal agencies on the one centralized email system. As when one gets compromised, they all get compromised.

    1. Jellied Eel Silver badge

      Re: Attack of the Russian cyber spies

      Was it wise running federal agencies on the one centralized email system. As when one gets compromised, they all get compromised.

      But MS is all about sharing. Federate, share your work easily. Throw everything into the cloud. Trust in MS!

      Affected federal agencies must comb through mails, reset API keys and passwords

      Oops. I've reset the API keys and am now mailing the new ones to all users. Hopefully proper government still has cryptocustodians who get to fly around the world hand-delivering stuff that can't be trusted to be sent electronically. Or if it is, it's with multiple layers of encryption.

      1. Michael Wojcik Silver badge

        Re: Attack of the Russian cyber spies

        Both good points.

        Microsoft is "all about sharing" because it improves vendor lock-in. Users have a choice between low-friction sharing of information, between users and between applications, or assembling their own portfolio of preferred applications and imposing fine-grained control on access to information. The former choice inculcates laziness, carelessness, and complex and undocumented ad hoc workflows, so it's what users will gravitate toward. Then it becomes difficult to get them out of it.

        The "application suite" concept was a trap, as was the IDE and other forms of software integration. Many have noted this over the years, of course.

  5. ldo

    With Friends Like These ...

    ... who needs enemies?

  6. Anonymous Coward
    Anonymous Coward

    Why the F**** do tehy not have thier own plugin developed to encrypt the content of government emails when used for such things

    1. Michael Wojcik Silver badge

      Why would they need a plugin, much less a custom-developed one? Even Outlook/Exchange support S/MIME, and there are inexpensive commercial plugins if you'd rather have PHP.

      The Feds don't use encrypted email for the same reason the vast majority of other organizations don't: It's a bit of a hassle, for IT and for users, and any extra work is too much extra work.

      It's not clear how much of a mitigation email encryption would have been in the case of this breach, as we keep hearing that Cozy Bear had more access than originally claimed. They had access to Microsoft source code and various internal systems, so it's possible they could have mounted a supply-chain attack that gave them email contents before sending or after being decrypted by the recipient.

  7. This post has been deleted by its author

  8. Al fazed

    The question

    I have been asking since 1995 is, "Why are they still using Microsoft anything ?"

    Why is any pro democracy go vermins still using anything which is sold by Microsoft ?

    Oh, UK go vemins has signed a new contract with Cosy Bear to try to get our data back outta da Microsoft cloud........

  9. MikeLivingstone

    Government - cloud first

    Officials left their brains behind - chanting cloud first.

  10. mIVQU#~(p,


    Seems like a good use case for AI. feed it all of the emails and ask it to list out all of the API keys and passwords.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like