Federal agencies were directed on Thursday to “immediately” address a cyber threat by Russian-linked hackers targeting Microsoft corporate email accounts.
The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive mandating urgent steps for federal agencies to mitigate the risk posed by the hacker group.
Specifically, the directive applies to federal civilian executive branch agencies (FCEB) targeted by Midnight Blizzard, a Russian state-sponsored actor that accessed Microsoft corporate email accounts.
The group is also known as Nobelium, the same Russian hacking team behind the SolarWinds breach.
CISA’s Thursday directive told federal agencies to take “steps to identify the full content of the agency correspondence with compromised Microsoft accounts and perform a cybersecurity impact analysis.”
They were also told to analyze potentially compromised emails, reset compromised credentials, and enhance security measures for privileged Microsoft Azure accounts.
Jen Easterly, director of CISA, America’s cyber defense agency, stressed the urgency of the directive as a top priority that requires attention.
In a statement, she emphasized the need for “immediate actions” by federal agencies to reduce risk to federal systems.
“For several years, the U.S. government has documented malicious cyber activity as a standard part of the Russian playbook; this latest compromise of Microsoft adds to their long list. We will continue efforts in collaboration with our federal government and private sector partners to protect and defend our systems from such threat activity.”
While the directive specifically targets FCEB agencies, CISA has encouraged other organizations to seek guidance from their respective Microsoft account teams.
Additionally, all organizations were advised to implement stringent security measures such as strong passwords, multifactor authentication, and secure channels for sensitive information.
Midnight Blizzard Attack
Microsoft, which initially revealed the breach in January, disclosed in March that Midnight Blizzard had been attempting to breach its systems by leveraging information initially “exfiltrated from corporate email systems.”This attempt aimed to gain unauthorized access, with Microsoft revealing that in January, a “very small percentage” of corporate email accounts had been compromised in a “nation-state attack” from Midnight Blizzard.
Midnight Blizzard was able to access some of Microsoft’s source code repositories and internal systems. The company said that, at the time, it hadn’t found evidence that Microsoft-hosted customer-facing systems were compromised.
These “secrets” include information shared between customers and Microsoft via email. Microsoft pledged to inform and assist affected customers with mitigation measures.
Microsoft noted that Midnight Blizzard may be “using the information it has obtained to accumulate a picture of areas to attack and enhance its ability to do so.”
Additionally, Microsoft highlighted a significant increase in specific types of attacks, such as password sprays, by as much as tenfold in February. Password sprays involve repetitively using the same password across different accounts to attempt unauthorized access.
The hackers had allegedly used a password spray attack last November to breach a Microsoft platform.
Microsoft noted in a regulatory filing on Jan. 19 that it was able to remove the hackers’ access from the compromised accounts on or about Jan. 13.
Publicly traded companies like Microsoft are required by new Securities and Exchange Commission regulations to disclose breaches that could negatively impact their business. The regulations give them four business days to file a report outlining the time, scope, and nature of the breach to the government unless they obtain a national security waiver.
