{ "id": "46ad0f66-c807-4471-9269-3cb31ccb614f", "created_at": "2026-04-06T00:17:33.775447Z", "updated_at": "2026-04-10T13:12:15.730883Z", "deleted_at": null, "sha1_hash": "914c6bb5295f1bac7c0f4e30ac1112ff0af052e3", "title": "Exclusive: Russian spies hacked UK government data and emails earlier this year", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 95876, "plain_text": "Exclusive: Russian spies hacked UK government data and emails\r\nearlier this year\r\nBy Alexander Martin\r\nPublished: 2024-08-08 · Archived: 2026-04-05 15:37:54 UTC\r\nUpdated August 9 with comments from a government spokesperson about the incident.\r\nCyber spies working for Russia’s foreign intelligence service accessed corporate emails and data on individuals\r\nfrom the British government earlier this year, according to an official description of the incident obtained by\r\nRecorded Future News.\r\nThe breach, which has not previously been reported, followed the Russian hackers initially targeting Microsoft,\r\nwhich supplies corporate services to the Home Office, before the hackers exploited this access to also compromise\r\ndata from several of Microsoft’s clients.\r\nFollowing publication, a government spokesperson stressed that the Russian spies had not accessed the Home\r\nOffice's own systems. It is understood the hackers compromised corporate email data shared between Microsoft\r\nand the Home Office that was held by Microsoft.\r\n\"There is no evidence that Home Office systems were compromised. We take data security very seriously, with\r\nrobust reporting mechanisms in place, and continuous monitoring to ensure data is protected,\" the spokesperson\r\nsaid.\r\nMicrosoft first disclosed in January that the hacking group tracked as Midnight Blizzard — which the U.K.\r\nattributes to Russia’s SVR intelligence agency — had accessed the email accounts of senior leaders at the\r\ncompany, later confirming the hackers had also accessed customers’ emails as well as Microsoft’s own “source\r\ncode repositories and internal systems.”\r\nThe Home Office reported the incident to Britain’s data protection regulator on May 2, almost four months after\r\nMicrosoft’s initial disclosure. Under British data protection laws, organizations are required to report personal data\r\nbreaches to the regulator within 72 hours of becoming aware of the breach.\r\nA description of this report obtained under the Freedom of Information Act said the incident was a “nation state\r\nattack on [a] supplier” of the department’s corporate systems, and linked the hack to Microsoft’s January\r\nannouncement.\r\nA spokesperson for the ICO said: “We can confirm that we are aware of this incident, have assessed the\r\ninformation provided and concluded that no further action is required.”\r\nIt is likely that most of Microsoft’s government customers may have discovered being impacted by the breach\r\nmuch later than when Microsoft became aware of the initial incident affecting its senior staff.\r\nhttps://therecord.media/russia-hack-uk-government-home-office-microsoft\r\nPage 1 of 3\n\nIt wasn’t until April that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that federal\r\ngovernment data had also been affected by the hack.\r\nAt that time, CISA said Microsoft had pledged to assist the U.S. government’s investigation into the incident by\r\nproviding “metadata for all exfiltrated federal agency correspondence,” and warned that this stolen\r\ncorrespondence “presents a grave and unacceptable risk to agencies.”\r\nThe breach of British government data comes as Russia’s intelligence services have been especially active in\r\nsupporting Moscow’s war aims as it continues its invasion of Ukraine, including by targeting those countries\r\nproviding support to Kyiv.\r\n“Since February 2022, the rules of the game have changed for the Kremlin, which now acts in the cyber realm as\r\nif it were already at war with the UK,” said Christopher Steele, the director of Orbis Business Intelligence and a\r\nformer British intelligence officer focusing on Russia.\r\nJames Sullivan, the director of cyber research at the RUSI think tank, said: “It’s not a surprise that this may have\r\nhappened. We know that Russia conducts campaigns like this and the British public is sadly used to it now, rather\r\nthan outraged.\r\n“But we must take these incidents seriously. They can undermine trust and confidence in public services and\r\npublic officials. We do need to understand the impact a bit more in terms of the damage that has been done, what\r\nthe risks are to the country, what kind of strategic advantage the adversary might be pursuing, and respond\r\naccordingly.”\r\nMeasuring the effect of intelligence-gathering operations is extremely challenging. Steele said that the SVR’s\r\n“motivations may be manifold — such as finding personal information of key individuals, or simply disrupting the\r\nfunctions of the British state — but their tactics are consistently more brazen and less cautious than in the past.”\r\nJust the day after the data breach report was filed with Britain’s data protection regulator, the U.K. and allies\r\nissued a joint statement condemning malicious cyber activity by the Russian intelligence services — although this\r\nspecifically focused on the activity of a different Russian agency, the GRU, which was blamed for attacks on the\r\nGerman Social Democratic Party.\r\nRUSI’s Sullivan told Recorded Future News: “Official attributions are a tool we have, but attribution needs to\r\ncome as a package of measures — it needs to be coupled with other interventions like sanctions, or with cyber\r\noperations against the adversary — to have an impact. I’d be very interested to see what the actual response would\r\nbe to an incident like this, or even if the UK Government thinks a response is needed.” \r\nSullivan said the incident highlighted pressing questions about the accountability of the private-sector\r\norganizations involved in selling services to governments:  “Similar to Crowdstrike, this incident affecting\r\nMicrosoft shows how our use of just a few providers for critical services sets us up for single points of failure\r\nwhen there are breaches or outages. We may need to think about greater vendor diversity to spread the risk out and\r\ngive organizations more resilience.”\r\nFollowing publication, a spokesperson for Microsoft said: “We have found no evidence that any Microsoft-hosted\r\ncustomer-facing systems have been compromised as a result of the attack against Microsoft that we shared in\r\nhttps://therecord.media/russia-hack-uk-government-home-office-microsoft\r\nPage 2 of 3\n\nJanuary. As we shared at the time, the threat actor accessed a very small percentage of Microsoft corporate email\r\naccounts. We provided notifications to customers who corresponded with the impacted Microsoft corporate email\r\naccounts.”\r\nAlexander Martin\r\nis the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and a fellow\r\nat the European Cyber Conflict Research Initiative, now Virtual Routes. He can be reached securely using Signal\r\non: AlexanderMartin.79\r\nSource: https://therecord.media/russia-hack-uk-government-home-office-microsoft\r\nhttps://therecord.media/russia-hack-uk-government-home-office-microsoft\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://therecord.media/russia-hack-uk-government-home-office-microsoft" ], "report_names": [ "russia-hack-uk-government-home-office-microsoft" ], "threat_actors": [ { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434653, "ts_updated_at": 1775826735, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/914c6bb5295f1bac7c0f4e30ac1112ff0af052e3.pdf", "text": "https://archive.orkl.eu/914c6bb5295f1bac7c0f4e30ac1112ff0af052e3.txt", "img": "https://archive.orkl.eu/914c6bb5295f1bac7c0f4e30ac1112ff0af052e3.jpg" } }