Respond to prefers-color-scheme dark in app web views

Follow section front redirects in Spectrum

Enable NLP source in PCS for load testing

Switch off the News Alerts Survey Widget when we have enough responses

Poll to determine if new LUF updates are available

Allows the winning A/B test variant to be turned on without Spectrum deployment

Show infinite scrolling sections in Assembler MultiView

Show option for NLP article summaries in Action Bar

A general feature flag for Recipe Features that aren't yet released

Feature flag for media team features that aren't yet released

Use new Orca video player for preroll plugin in Spectrum

Show the snow tracker (instead of the heat tracker) on Spectrum

That time football legend, rig-driving eligible bachelor Biden was arrested

Trump and allies say Biden pays rent for ‘illegals’ in Michigan. Not true.

Eighty percent of Ukraine-Israel bill will be spent in U.S. or by U.S. military

Chinese EVs are good for the world. Biden says they’re bad for America. 

Why the Solomon Islands election matters to China and the U.S.

Biden calls ally Japan ‘xenophobic’ like China, Russia, at campaign event

Young Georgians want to be part of Europe. Their government is in the way.

On Press Freedom Day, little to celebrate for Hong Kong’s journalists

Taxes are inevitable. Paying to prepare them doesn’t have to be.

Cat climbed into Amazon return box, found alive 630 miles away

Brave Little Hunter is free: Baby orca escapes lagoon for open seas

I learned to heal my sadness by cradling dying chickens 

What’s the best bus to New York? We tested 5 for comfort and value.

You asked: Do I need a passport for my cruise?

Adaptive equipment is making national parks more inclusive

Miss Manners: Offering my bedroom to guests

Ask Amy: My wife’s sister confessed her feelings for me

Carolyn Hax: Will request for a postnup offend much younger wife?

The 6 best things to do with kids in the D.C. area this weekend 

The 33 best things to do in D.C. this weekend and next week

Trevor Williams’s escape act helps Nationals blank Rangers 

This masterpiece ‘Birth of Venus’ probably isn’t of Venus at all

The beginner’s illustrated guide to watching an F1 race

Wait, what is Stephen A. Smith talking about? Find out with our quiz.

World Press Freedom Day, 2024

How Trump convinces Republicans to adopt extreme views

Campuses are grappling with the Gaza war. So are our columnists.

Stephen A. Smith would like even more of your attention

Local sports networks go dark mid-game amid dispute with Comcast 

NASA moon capsule suffered extensive damage during 2022 test flight

Russian state media ramping up English, Spanish presence on TikTok, study finds

Apple is behind in AI and killed its self-driving car project. What’s next?

Trump

Russian government hackers have compromised Microsoft cloud customers and stolen emails from at least one private-sector company, according to people familiar with the matter, a worrying development in Moscow’s ongoing cyberespionage campaign targeting numerous U.S. agencies and corporate computer networks.

The intrusions appear to have occurred via a Microsoft corporate partner that handles cloud-access services, those familiar with the matter said. They did not identify the partner or the company known to have had emails stolen. Like others, these people spoke on the condition of anonymity to discuss what remains a highly sensitive subject.

Microsoft hasn’t publicly commented on the intrusions. On Thursday, an executive with the tech giant sought to downplay the issue’s significance.

“Our investigation of recent attacks has found incidents involving abuse of credentials to gain access, which can come in several forms,” Jeff Jones, Microsoft’s senior director for communications, said. “We have still not identified any vulnerabilities or compromise of Microsoft product or cloud services.”

The troubling revelation comes several days after Microsoft’s president, Brad Smith, said the Fortune 500 company had not seen any customers breached through its services, including the vaunted Azure cloud platform used by governments, major corporations and universities worldwide.

“I think we can give you a blanket answer that affirmatively states, no, we are not aware of any customers being attacked through Microsoft’s cloud services or any of our other services, for that matter, by this hacker,” Smith told The Washington Post on Dec. 17.


<i>[Russian government hackers are behind a broad espionage campaign that has compromised U.S. agencies]</i>


Yet two days earlier, Microsoft notified the cybersecurity firm CrowdStrike of an issue with a third-party reseller that handles licensing for its Azure customers, according to a  blog post CrowdStrike published Wednesday. In its post, CrowdStrike <a href="https://www.crowdstrike.com/blog/crowdstrike-launches-free-tool-to-identify-and-help-mitigate-risks-in-azure-active-directory/">alerted customers</a> that Microsoft had detected unusual behavior in CrowdStrike’s Azure account and that “there was an attempt to read email, which failed.” CrowdStrike does not use Microsoft’s email service. It did not link the tactic to Russia.

People familiar with the previously undisclosed email theft said it does not exploit any Microsoft vulnerability. The company itself was not hacked — only one of its partners, they said.

Nevertheless, the troubling development raises concerns about the extent of Microsoft’s disclosure obligations, cybersecurity experts said.

“If it’s true that a cloud service provider customer’s data has been exfiltrated and is in the hands of some threat actor, that’s a very serious situation,” said John Reed Stark, who runs a consulting firm and is former chief of the Securities and Exchange Commission’s Office of Internet Enforcement. “It should raise all sorts of alerts within that cloud provider that could trigger a litany of notification, remediation and disclosure requirements — both national and international.”

In a blog post last week, Microsoft stated it was notifying “more than 40 customers” that they had been breached. Some of them were compromised through the third party, people familiar with the matter said.

Specifically, the adversary hacked the reseller, stealing credentials that can be used to gain broad access to its customers’ Azure accounts. Once inside a particular customer’s account, the adversary had the ability to read — and steal — emails, among other information.

Microsoft began alerting private-sector clients to the issue last week. Jones said the company also informed the U.S. government last week “that some reseller partners were affected.” However, two individuals familiar with the matter said the government was not notified.

Microsoft itself has not publicly announced the reseller hack. By contrast, when the cybersecurity firm FireEye learned it had been breached through a software update, it disclosed the information. That software patch, from a company called SolarWinds, has been the path through which the Russians have compromised at least five major federal agencies in a major ongoing campaign that has U.S. officials working through the holidays.

SolarWinds <a href="https://www.solarwinds.com/securityadvisory" title="www.solarwinds.com">has acknowledged the hack</a>, calling it “very sophisticated.”


<i>[Spies with Russia’s foreign intelligence service believed to have hacked a top American cybersecurity firm and stolen its sensitive tools]</i>


Microsoft’s Jones characterized the reseller issue as “a variation on what we’ve been seeing and not a major new vector.” He said: “Abuse of credentials has been a common theme that’s been reported as part of the tools, techniques and practices for this actor.”

Jones declined to answer questions about when the firm discovered the reseller compromise, how many customers the reseller has, how many were breached and whether the reseller was alerting its customers.

“We have various agreements with people, and we won’t share specific information about our engagement with specific partners or customers,” he said.

The fact that the hackers breached a Microsoft partner may not absolve the firm of legal liability, experts said. When hackers stole more than 100 million credit card applications last year from a major bank’s cloud, which was provided by Amazon Web Services, customers sued the bank and AWS. In September, a federal judge denied Amazon’s motion to dismiss, saying its “negligent conduct” probably “made the attack possible.”

Said Stark: “Just because a cloud provider denies liability does not necessarily mean the provider is off the hook.”

(Amazon chief executive Jeff Bezos owns The Post.)

The investigation has now become the top priority for Gen. Paul Nakasone, who heads both the National Security Agency and the military’s U.S. Cyber Command. Developing a coherent, unified picture of the extent of the breaches has been difficult because neither the NSA nor the Department of Homeland Security nor the FBI has the legal or jurisdictional authority to know where all the compromises are.

Nakasone’s challenge, as one U.S. official put it, is “he’s expected to know how all the dots are connected, but he doesn’t know how many dots there are or where they all are.”

Some of that inability is caused by federal contracting rules to protect agency privacy, Microsoft’s Smith said. In his interview last week, he said the company was the first to alert several federal agencies to the breaches that had taken place through the SolarWinds update. But, he said, the company was barred by federal contract from sharing that information outside of the agency affected.

“In many instances, because of the confidentiality restrictions that are placed on us by federal contracts, we would have to go to the government and say, ‘We have found another federal agency. We can’t tell you who they are. . . . But we are asking them to call you,” he said.

U.S. government and private-sector sources now say the total number of victims — of agencies and companies that have seen data stolen — is likely to be at most in the low hundreds, not in the thousands as previously feared. But even one major agency hack is significant.

Several years ago, Chinese government hackers compromised the Office of Personnel Management, exposing the records of more than 22 million federal workers and their families.

Then as now, the breaches were seen as acts of espionage. There was no evidence of network disruption or destruction, or of efforts to use the stolen goods in, say, an operation to interfere in an election or run a disinformation campaign.

The Russian effort is not an act of war, U.S. officials say.

“I want a throat to choke on this thing — I’m angry that they got us, but the reality is the Russians pulled off a highly targeted, complex and probably expensive cyber intrusion that was a sophisticated espionage operation,” said Rep. Jim Langevin (D-R.I.), a member of the House Armed Services Committee who co-chairs the Congressional Cybersecurity Caucus.

The breaches are akin to the Russians placing moles in multiple places in high levels of the government, Langevin said, adding that the U.S. government should respond as it would to a physical espionage campaign. “We could expel diplomats or suspected spies, or perhaps impose sanctions,” he said. “But we also want to be careful that we don’t destabilize the Internet or our own espionage operations.”

Pulitzer Prize for Public Service, 2014

Gerald Loeb Award 2014, NSA stories

Society of American Business Editors and Writers enterprise award 2009, for the story "Banking Regulator Played Advocate over Enforcer"

Daily Californian Alumni Association Alumna of the Year, 2017

Pulitzer Prize for reporting on Russian interference in the 2016 presidential election, 2018

Pulitzer Prize for Public Service in 2022 for an investigation of the Jan. 6 assault on the U.S. Capitol

The Prince of Tennessee

City University, London, MA in international journalism

University of California at Berkeley, BA in humanities

Ellen Nakashima is a national security reporter with The Washington Post. She was a member of three Pulitzer Prize-winning teams, in 2022 for an investigation of the Jan. 6 assault on the U.S. Capitol, in 2018 for coverage of Russia's interference in the 2016 election, and in 2014 and for reporting on the hidden scope of government surveillance. 



Ellen Nakashima

The Washington Post

Russian hackers compromised Microsoft's cloud customers through a third party, putting email and other data at risk

Contributor

AFP/Getty Images

Gerard Julien

Getty

FILES-EU-INTERNET

Foreign Policy

Intelligence

Justice

Military

National Security

iptc-media/crime_law_and_justice/law

iptc-media/economy_business_and_finance

iptc-media/crime_law_and_justice/crime

iptc-media/economy_business_and_finance/economic_sector/computing_and_information_technology/computer_security

iptc-media/politics

iptc-media/economy_business_and_finance/economic_sector/computing_and_information_technology

iptc-media/arts_culture_entertainment_and_media

iptc-media/economy_business_and_finance/economic_sector/media

iptc-media/science_and_technology/technology_and_engineering

iptc-media/science_and_technology/technology_and_engineering/IT/computer_sciences

iptc-media/crime_law_and_justice

iptc-media/politics/government

iptc-media/arts_culture_entertainment_and_media/mass_media

iptc-media/economy_business_and_finance/economic_sector/computing_and_information_technology/software

iptc-media/economy_business_and_finance/business_information

iptc-media/arts_culture_entertainment_and_media/mass_media/online_media

iptc-media/politics/government/espionage_and_intelligence

iptc-media/science_and_technology

iptc-media/crime_law_and_justice/crime/computer_crime

client-blocklists/Client List: Morgan Stanley KWs - INCLUDES ANY

client-blocklists/Client List: Becton Dickinson KWs - EXCLUDES ALL

client-blocklists/Amazon KWs - INCLUDES ANY

client-blocklists/CLIENT LIST: Nomura KWs 2021 - EXCLUDES ALL

client-blocklists/Boeing KWs 2021- INCLUDE ANY

client-blocklists/Bed Bath & Beyond KWs - INCLUDE ANY

client-blocklists/Client List: Exxon Mobil  - INCLUDES ANY

client-blocklists/GEICO KWs - INCLUDES ANY_4.26.21

advertising/Continuum Articles for Darktrace

client-blocklists/Client List: T. Rowe Price KWs - EXCLUDES ALL

client-blocklists/T. Rowe Price KWs - EXCLUDES ALL

client-blocklists/Client List: Microsoft KWs 2 - INCLUDES ANY

client-blocklists/Ford/Lincoln KWs - EXCLUDES ALL

client-blocklists/HBO KWs - INCLUDES ANY

client-blocklists/Bank of America KWs - EXCLUDES ALL

client-blocklists/ExxonMobil 03312021 KWs - INCLUDES ALL

client-blocklists/Client List: Diageo - Johnnie Walker KWs - INCLUDES ANY

client-blocklists/WaPo: Combined Disaster Keyword List - INCLUDES ANY

advertising/B2_Business_legacyaux_hws

client-blocklists/Client List: Navy Federal Credit Union NFCU KWs 2 - EXCLUDES ALL - 12.23.20

advertising/B2_Companies_legacyaux_ieb

client-blocklists/Client List: Eli Lily KWs - INCLUDES ANY

advertising/B2_Corporate Responsibility_legacyaux_FTM

client-blocklists/Client List: IBM KWs ALTERNATE Watson - EXCLUDES ALL

advertising/B2_Cyber Security & Intelligence Community_legacyaux_E8X

advertising/B2_Data Center Buyer_legacyaux_80A

advertising/B2_Defense and Cybersecurity_legacyaux_nzv

advertising/B2_Defense and National Security 2.12.15_legacyaux_o1b

advertising/B2_Defense_legacyaux_yxn

advertising/B2_Departments and Agencies_legacyaux_1nn

advertising/B2_Digital Authentication_legacyaux_c2u

advertising/B2_Embassy, Ambassador, & Diplomat Content_legacyaux_1ho

advertising/B2_Entrepreneurship_legacyaux_sqb

client-blocklists/Client List: Purina KWs - INCLUDES ANY

advertising/Qualcomm Custom KW - 5G

advertising/B2_Government & Policy_legacyaux_mza

client-blocklists/BP KWs - INCLUDES ANY

client-blocklists/ CLIENT LIST: AT&T KWs 2021 - EXCLUDES ALL

advertising/B2_Consulting_legacyaux_s68

advertising/B2_Politics and Policy_legacyaux_pay

advertising/B2_Positive News_legacyaux_hlt

advertising/B2_Russia & Putin_legacyaux_F55

advertising/B2_Tech_legacyaux_54y

advertising/B2_Technology and Cyber Security 3.16.15_legacyaux_3jl

advertising/B2_Young Professional / International Businessman_legacyaux_r5x

client-blocklists/Client List: GEICO KWs

client-blocklists/Client List: KPMG KWs - EXCLUDES ALL

client-blocklists/Client List: Navy Federal Credit Union NFCU KWs - EXCLUDES ALL

client-blocklists/Client List: Novo Nordisk KWs - EXCLUDES ALL

client-blocklists/Client List: Siemens KWs - EXCLUDES ALL

client-blocklists/Client List: Cisco KWs - INCLUDES ANY

client-blocklists/Client List: AT&T ALT KWs - EXCLUDES ALL

client-blocklists/Mercedes KWs - INCLUDES ANY

client-blocklists/FX Excludes All Disney

client-blocklists/Client List: Inpixon KWs - INCLUDES ANY

client-blocklists/Client List: Boeing KWs - INCLUDES ANY

client-blocklists/Client List: Google KWs - INCLUDES ALL

client-blocklists/Philip Morris KWs - INCLUDES ANY 

client-blocklists/Capital One KWs 2 - INCLUDES ANY - 1.4.21

client-blocklists/Bank of America Merrill Lynch KWs - INCLUDES ANY

client-blocklists/CME KWs - EXCLUDES ALL

client-blocklists/Client List: IBM KWs - EXCLUDES ALL

client-blocklists/Google PG KWs - INCLUDES ANY

client-blocklists/Chase KWs - EXCLUDES ALL

client-blocklists/Client List: Office Depot KWs - INCLUDES ANY

client-blocklists/Client List: ETrade KWs - EXCLUDES ALL

prism://prism.query/site,/national-security&limit=20

Sign up for Fact Checker, our weekly review of what's true, false or in-between in politics.

The Washington Post's coverage of national security issues, including the military, intelligence, justice, and foreign policy.