The U.S. Cybersecurity and Infrastructure Agency today issued an emergency directive requiring all federal agencies to take action to protect against attacks by a Russian hacking group using compromised Microsoft Corp. accounts.
The decree refers to a campaign by the suspected Russian state-sponsored hacker group Midnight Blizzard to intercept email correspondence from the Federal Civilian Executive Branch, the part of the U.S. government made up of civilian employees working in executive departments and agencies Use to exfiltrate compromised Microsoft accounts. The policy requires all agencies to analyze the content of exfiltrated emails, reset compromised credentials, and take additional steps to secure privileged Microsoft Azure accounts.
Although the requirements of Emergency Directive ED 24-02 apply only to FCEB agencies, CISA warns that other organizations could also be affected by the exfiltration of Microsoft email accounts and encourages Microsoft users to contact it Respective account team to contact any additional questions or queries.
In the full policy, CISA details how Midnight Blizzard uses information originally filtered out of corporate email systems, including authentication credentials exchanged between Microsoft customers and Microsoft via email, to gain additional access to Microsoft email systems. To maintain or attempt to maintain customer systems. Citing Microsoft, CISA notes that Midnight Blizzard increased some aspects of its operations tenfold in February compared to January, which had already seen a significant volume of attacks.
One of Midnight Blizzard’s somewhat successful attacks affected Microsoft in January, when a small number of email accounts, including those of senior employees, were compromised. The group’s name, Midnight Blizzard, comes from Microsoft, but the group is commonly known as Nobelium.
It is the same group behind the attacks on SolarWinds WorldWide LLC, which began in 2019 but were first discovered in December 2020. And the company that traced Nobelium to SolarWinds and issued warnings about the group was Microsoft.
The compromise of Microsoft corporate email accounts led to today’s CISA alert. The exfiltration of correspondence between agencies and Microsoft gave Midnight Blizzard the ability to infiltrate and compromise accounts at FCEB agencies.
The emergency regulation requires authorities to take immediate corrective action if it is known or suspected that tokens, passwords, application programming interface keys or other authentication data have been compromised. By April 30, authorities must reset credentials in related applications, disable any applications no longer in use, and review logins, token issuance, and other account activity logs for signs of potential malicious activity.
In addition, authorities are required to identify all correspondence content with compromised Microsoft accounts and conduct a cybersecurity impact analysis. In the event of authentication compromises discovered through agency analysis, agencies must notify CISA and follow the initial steps described, with CISA providing support and an updated timeline for these actions.
The emergency order came after CISA announced earlier today that it had discovered a data breach at business intelligence company Sisence Ltd. examined. CISA provided many details about the hack, saying that it was made aware of it by an independent security researcher and that Sisense customers should reset their credentials.