A recent breach at Microsoft allowed Russian spies to access and steal emails from various US government agencies. The Cybersecurity and Infrastructure Security Agency (CISA) is advising these agencies to thoroughly check their emails, reset API keys, and passwords as a precaution due to the sensitive data that was compromised. Immediate action is necessary to address this security threat.
CISA issued an Emergency Directive on April 2, which was recently revealed. The directive stated that government-backed hackers were able to access and steal email communications between Federal Civilian Executive Branch agencies and Microsoft. This breach occurred after Redmond's internal systems were compromised last month.
The individuals responsible, referred to as Midnight Blizzard or Cozy Bear, managed to access information exchanged between customers and Microsoft via email, including authentication details. The Cybersecurity and Infrastructure Security Agency (CISA) reported that this information is now being used to try to infiltrate other systems, including those belonging to Microsoft customers.
Emergency Directive ED 24-02 from CISA mandates that federal agencies review and evaluate exfiltrated emails, change any compromised login information, and implement further measures to guarantee the security of authentication methods for important Microsoft Azure accounts.
CISA directed agencies to report on their progress with all necessary actions by April 8 and to give another update by May 1. They are also required to provide weekly updates on the steps they are taking to fix any issues until everything is resolved. CISA has given the agencies a template and instructions to use for reporting.
Microsoft and CISA have informed all federal agencies that their email communication with Microsoft was accessed by Midnight Blizzard.
The company agreed to give affected agencies information about stolen emails containing login details and provide metadata on all stolen federal agency emails when requested by the National Cyber Investigative Joint Task Force, led by the FBI.
According to Microsoft, Midnight Blizzard has significantly increased its intrusion attempts, like password spraying attacks, by up to ten times in February compared to the already high number of attempts seen in January 2024.
This new development will further damage Microsoft's reputation, which had already been affected by the initial incident in January.
Amit Yoran, the chairman and CEO of cybersecurity company Tenable, expressed concern about Microsoft's lax security practices and lack of transparency, emphasizing that this could have serious implications for national security. Yoran also pointed out that commercial clients of Microsoft may not have the same level of influence or attention as the US government, making it even more crucial for Microsoft to prioritize security measures.
It is not unexpected to hear that Midnight Blizzard's intrusion campaign intensified after it was first detected. With Microsoft's history of not fully disclosing information, making misleading statements, and downplaying security breaches, it was only a matter of time before the situation worsened.