The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive telling all federal civilian executive branch (FCEB) agencies to guard against attacks from the Russia-linked Midnight Blizzard hackers currently leveraging compromised Microsoft email accounts.
Agencies affected by Midnight Blizzard’s (more commonly known as Nobelium) espionage hacking campaign have been directed to reset authorization credentials and take other security steps in response to stolen emails or passwords. CISA has not disclosed the number of involved agencies.
Specifically, Emergency Directive (ED) 24-02 requires federal civilian agencies to analyze the content of exfiltrated emails and to secure privileged Microsoft Azure accounts.
Microsoft Midnight Blizzard Compromise Scope: CISA
Microsoft disclosed the incident beginning in January 2024.
“Midnight Blizzard’s successful compromise of Microsoft corporate email accounts and the exfiltration of correspondence between agencies and Microsoft presents a grave and unacceptable risk to agencies,” CISA said. “The threat actor is using information initially exfiltrated from the corporate email systems, including authentication details shared between Microsoft customers and Microsoft by email, to gain, or attempt to gain, additional access to Microsoft customer systems."
According to Microsoft, “Midnight Blizzard has increased the volume of some aspects of the intrusion campaign, such as password sprays, by as much as 10-fold in February, compared to an already large volume seen in January 2024.”
Agencies Encouraged to Contact Microsoft
ED 24-02 only applies to FCEB agencies but other organizations may also have been impacted by the exfiltration of Microsoft corporate email, authorities said. Those agencies are “encouraged to contact their respective Microsoft account team for any additional questions or follow up,” CISA said.
Microsoft said it will provide metadata to agencies whose exfiltrated emails include sensitive information.
“Microsoft and CISA have notified all federal agencies whose email correspondence with Microsoft was identified as exfiltrated by Midnight Blizzard,” the directive reads. “In addition, Microsoft has represented to CISA that for the subset of affected agencies whose exfiltrated emails contain authentication secrets, such as credentials or passwords, Microsoft will provide metadata for such emails to those agencies.”
According to the ED, affected agencies that receive from Microsoft email metadata “corresponding to known or suspected authentication compromises” are ordered to take "immediate remediation action" for tokens, passwords, API keys, or other authentication credentials known or suspected to be compromised.
Recommended Action for Authentication Compromises
For any known or suspected authentication compromises by April 30, 2024:
- Reset credentials in associated applications and deactivate associated applications that are no longer of use to the agency.
- Review sign-in, token issuance and other account activity logs for users and services whose credentials were suspected or observed as compromised for potential malicious activity.
Also by April 30, all affected agencies must take the following actions:
- Identify the full content of the agency correspondence with compromised Microsoft accounts and perform a cybersecurity impact analysis. For known or suspected authentication compromises identified through agency analysis, CISA said it will work with agencies on an updated timeline for completing these required actions.
Agencies are required to provide a status update to CISA by May 1, 2024, and provide weekly updates on remediation actions for authentication compromises until completion. CISA said it will provide agencies with a reporting template and reporting instructions.
The emergency directive came after CISA said it was investigating a data breach at business intelligence company Sisence. CISA has advised Sisense customers to reset their credentials.
Since January 22, 2019, CISA has issued 14 Emergency Directives. Most recently, the agency issued ED 24-01 urging FCEB agencies to implement mitigations against two actively exploited zero-day flaws in Ivanti Connect Secure and Ivanti Policy Secure products.