The US cybersecurity agency CISA on Thursday issued an emergency directive mandating that all federal agencies immediately hunt for signs of a known Russian APT that broke into Microsoft’s corporate network and pivoted to steal sensitive correspondence from US government agencies.
The directive comes less than three months after Redmond disclosed the embarrassing hack and confirmed the ‘Midnight Blizzard’ attackers also stole source code and may still be poking around its internal computer systems.
According to the CISA directive, federal agencies must immediately “analyze the content of exfiltrated emails, reset compromised credentials, and take additional steps to ensure authentication tools for privileged Microsoft Azure accounts are secure.”
“Midnight Blizzard’s successful compromise of Microsoft corporate email accounts and the exfiltration of correspondence between agencies and Microsoft presents a grave and unacceptable risk to agencies,” CISA said.
The agency warned that the Russian government-backed hackers are using information initially exfiltrated from the corporate email systems — including authentication details shared between Microsoft customers and Microsoft by email — to gain, or attempt to gain, additional access to Microsoft customer systems.
The agency said it worked with the world’s largest software maker to notify all federal agencies whose email correspondence with Microsoft was identified as exfiltrated by the Midnight Blizzard threat actor.
“In addition, Microsoft has represented to CISA that for the subset of affected agencies whose exfiltrated emails contain authentication secrets, such as credentials or passwords, Microsoft will provide metadata for such emails to those agencies,” CISA said.
The agency said Micrsooft also agreed to provide metadata for all exfiltrated federal agency correspondence — regardless of the presence of authentication secrets — upon the request of the National Cyber Investigative Joint Task Force (NCIJTF), which is the single federal point of contact for this incident.
Earlier this year, Microsoft said the professional hacking team used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts.
“[They] exfiltrated some emails and attached documents,” Microsoft said in a filing with the Securities and Exchange Commission (SEC). The company said its security team detected the nation-state attack on our corporate systems on January 12, 2024 and traced the infection back to November 2023.
The discovery of Russian hackers in Microsoft’s network comes less than six months after Chinese cyberspies were caught using forged authentication tokens using a stolen Azure AD enterprise signing key to break into M365 email inboxes.
Following that breach, which led to the theft of email data from about 25 government organizations in the United States, the Cyber Security Review Board (CSRB) issued a scathing report that called out “a cascade of Microsoft’s avoidable errors that allowed this intrusion to succeed.”
“Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations,” according to the CSRB report.
Related: Microsoft’s Security Chickens Have Come Home to Roost
Related: Microsoft Says Russian Hackers Stole Source Code
Related: Microsoft Says Russian Gov Hackers Stole Email Data From Senior Execs
Related: Chinese Cyperspies Use Stolen Microsoft Key to Hack Gov Emails
Related: Microsoft Blames Russian APT for Outlook Zero-Day Exploits
