In January, Russian hackers accessed a VA account through a Microsoft-based platform, but no personal information or data were compromised, according to an agency official. The breach targeted Microsoft Azure Government, a cloud service used by the VA and other government entities for storage, databases, and other services.
VA press secretary Terrence Hayes told Military Times that the server was breached for only one second by a group known as Midnight Blizzard, or Nobelium, which is linked to the Russian government.
“After investigating the matter, we determined that no patient data was compromised,” Hayes informed Military Times. “VA found that Midnight Blizzard used a single set of stolen credentials to access a Microsoft Cloud test environment around January. … We are continuing to look into this matter with Microsoft to ensure that all veteran patient data remains protected and that we are not compromised in the future.”
Stars and Stripes first reported on the hack, noting that Microsoft’s investigation showed the attack targeted corporate email accounts within the company, including senior leadership, to gather information on Midnight Blizzard itself. The hackers employed a “spray attack,” a method using simple, predictable passwords to gain unauthorized access.
The cyberattack also impacted the Peace Corps and the U.S. Agency for Global Media, which oversees Voice of America, Radio Free Europe, and Free Asia. These breaches were part of a broader compromise within Microsoft’s corporate environment, identified in January 2024.
Microsoft’s security team detected the nation-state attack on January 12, and swiftly initiated their response process to investigate and mitigate the threat, preventing further access. The hackers targeted corporate email accounts, including those of senior leadership, to extract information shared with Microsoft’s clients. Microsoft emphasized that the attack was not due to a flaw in their systems.
Midnight Blizzard attempted to access email accounts using simple passwords without user knowledge. The VA’s credentials used to access a testing environment for new web applications were compromised, but no Veteran data was involved. After discovering the breach, the VA changed the exposed credentials and reviewed the accessed emails, finding no additional credentials or sensitive information was taken. Microsoft also reassured that there was no evidence the threat actor had accessed customer environments, production systems, source code, or AI systems.
This attack was separate from a February incident involving Change Healthcare, the nation’s largest health care payment processor. The February incident affected a significant portion of the U.S. health care system, with 15 million Veterans notified of potential exposure of their private health care data.
The VA will continue to work with Microsoft to ensure that Veteran data remains secure and to prevent future breaches.