The U.S. Cybersecurity and Infrastructure Agency today issued an emergency directive mandating that all federal agencies take steps to guard against attacks from a Russian hacking group using compromised Microsoft Corp. accounts.

The emergency directive came after CISA revealed earlier today that it was investigating a data breach at business intelligence company Sisence Ltd. CISA did provide many details on the hack, saying that it had become aware of it via an independent security researcher and that Sisense customers should reset their credentials.

The Microsoft-related decree relates to a campaign by the alleged Russian state-sponsored hacking group Midnight Blizzard to exfiltrate email correspondence from the Federal Civilian Executive Branch, the part of the U.S. government composed of civilian employees who work in executive departments and agencies, using compromised Microsoft accounts. The directive requires all agencies to analyze the content of exfiltrated emails, reset compromised credentials and take additional steps to secure privileged Microsoft Azure accounts.

Although the requirements of the emergency directive, ED 24-02, only apply to FCEB agencies, CISA is warning that other organizations may also have been affected by the exfiltration of Microsoft email accounts and are encouraging Microsoft users to contact their respective account team for any additional questions or follow up.

In the full directive, CISA details how Midnight Blizzard is using information initially exfiltrated from corporate email systems, including authentication details shared between Microsoft customers and Microsoft by email, to gain, or attempt to gain, additional access to Microsoft customer systems. Citing Microsoft, CISA notes that Midnight Blizzard increased aspects of its operation by 10-fold in February compared to January, which had already seen a significant volume of attacks.

One of Midnight Blizzard’s somewhat successful attacks involved Microsoft in January, when a small number of email accounts, including those belonging to senior staff, were compromised. The name of the group, Midnight Blizzard comes from Microsoft, but the group is more commonly known as Nobelium.

It’s the same group behind the attacks on SolarWinds WorldWide LLC, which started in 2019 but was first detected in December 2020. And the company that traced Nobelium to SolarWinds and issued warnings about the group was Microsoft.

The compromise of Microsoft corporate email accounts is what led to today’s CISA warning. The exfiltration of correspondence between agencies and Microsoft gave Midnight Blizzard a way to infiltrate and compromise accounts at FCEB agencies.

The emergency decree requires agencies to take immediate remediation action if tokens, passwords, application programming interface keys, or other authentication credentials are known or suspected to be compromised. By April 30, agencies must reset the credentials in associated applications, deactivate any applications no longer in use and review sign-in, token issuance and other account activity logs for signs of potential malicious activity.

In addition, agencies are required to identify all correspondence content with compromised Microsoft accounts and conduct a cybersecurity impact analysis. In cases of authentication compromises discovered through agency analysis, agencies must notify CISA and adhere to the initial steps outlined, with CISA providing support and an updated timeline for these actions.

Image: CISA