Russian nation-state hackers have exploited a recent Microsoft email compromise to steal the emails of government agencies, the US Cybersecurity and Infrastructure Security Agency (CISA) has reiterated in a new alert.
The warning ordered agencies to urgently check their email systems for signs of compromise and report back by April 30 if they believe specific emails or documents were compromised.
Originally distributed by CISA as an emergency order on April 2 and made public on Thursday, the latest Emergency Directive 24-02 requires federal agencies to take various actions, including resetting credentials, securing privileged Microsoft Entra ID (Azure) accounts, and analyzing email traffic.
CISA said it believed that the Russian government-backed Midnight Blizzard threat group was using access gained during an attack on Microsoft in November 2023 to potentially access email communications between the company and Federal Civilian Executive Branch (FCEB) agencies.
The alert doesn’t specify which agencies have been successfully targeted nor the extent of any compromise, but the FCEB covers a wide range of important agencies including the Department of Homeland Security (DHS), the Department of State (DOS), and the Department of Justice.
Echoing Microsoft’s first public announcements on the attack revealed in January, CISA was in no doubt as to the origins or motivation for the campaign.
“For several years, the US government has documented malicious cyber activity as a standard part of the Russian playbook; this latest compromise of Microsoft adds to their long list. We will continue efforts in collaboration with our federal government and private sector partners to protect and defend our systems from such threat activity,” CISA Director Jen Easterly was quoted as saying.
Microsoft’s announcements around Midnight Blizzard’s campaign against it have been like a slow reveal that gets worse with each new twist.
Microsoft originally named Midnight Blizzard as being behind the attack, which it said commenced in late November 2023. The group used a simple password spray technique to gain a foothold in its network with what Microsoft described as a “legacy non-production test tenant account.”
At that time, the attack was said to have targeted senior Microsoft executives but was still believed to be limited in scope. However, in a more recent update in March the assessment had darkened with the company admitting the attackers had gained access to internal systems and source code.
There is a longer-term pattern at work with the company publishing a warning in August 2023 that Midnight Blizzard was targeting Microsoft customers through social engineering attacks on Microsoft Teams.
Who is Midnight Blizzard?
Associated by the US and UK with the Russian SVR Foreign Intelligence Service, Midnight Blizzard is known by several nicknames depending on which security vendor is doing the naming. Other names include Nobelium, APT29, and Cozy Bear, the last made famous in 2016 when it was blamed along with a second Russian group, Fancy Bear, for breaching servers belonging to the Democratic National Committee (DNC).
After its successful initial attack on Microsoft, the group has ramped up its password spray attacks tenfold between January and February in an attempt to probe for new weaknesses, CISA said.
Actions required
The April 2 Directive is fairly general in its recommendations but still manages to hand security teams inside agencies a pile of homework. This begins with working out which credentials might have been compromised by checking activity logs for large numbers of accounts, a huge job guaranteed to lead to hefty overtime. The timescale for this is ambitious:
- By April 30, refresh all authentication credentials such as passwords, tokens and API keys suspected of being compromised.
- “Reset credentials in associated applications and deactivate associated applications that are no longer of use to the agency.” It’s not clear what this refers to but will relate to any secondary applications that have access to email streams or data, for example older backup systems.
But that is perhaps the easier part of the job; having identified compromised accounts, agencies then have to do what’s called an impact analysis, in other words, identify which documents sent via email might have fallen into the hands of the attackers. Finally, they must relay any bad news on this to CISA itself.
CISA said it would help with the impact analysis for agencies that lacked the resources to do it for themselves. CISA will, however, require regular status updates on the above actions.