CISA: Midnight Blizzard obtained federal agency emails

CISA issued an emergency directive Thursday ordering U.S. government agencies affected by Midnight Blizzard's hack against Microsoft to "take immediate remediation action."

On Jan. 19, Microsoft disclosed that a Russian nation-state threat actor it tracks as Midnight Blizzard, also known as Cozy Bear and APT29, accessed "a very small percentage of Microsoft corporate email accounts." CISA revealed Thursday that those email accounts included correspondence with Federal Civilian Executive Branch agencies.

Midnight Blizzard, which was also behind the massive supply chain attack against SolarWinds disclosed in 2020, breached Microsoft through a password spraying attack targeting a legacy nonproduction test tenant account. The attack began in November and was discovered on Jan. 12.

In March, the company said that in addition to obtaining emails and documents, Midnight Blizzard accessed source code and internal systems. Moreover, the threat actor made off with cryptographic secrets and was attempting to use them against other Microsoft customers.

To that end, CISA's latest emergency directive, ED 24-02, covers the U.S. cybersecurity agency's aims to mitigate risk at government agencies affected by Midnight Blizzard's attack. Dated April 2 and published Thursday, the emergency directive said the threat actor "has exfiltrated email correspondence between Federal Civilian Executive Branch (FCEB) agencies and Microsoft through a successful compromise of Microsoft corporate email accounts."

"The threat actor is using information initially exfiltrated from the corporate email systems, including authentication details shared between Microsoft customers and Microsoft by email, to gain, or attempt to gain, additional access to Microsoft customer systems," CISA said. "Midnight Blizzard's successful compromise of Microsoft corporate email accounts and the exfiltration of correspondence between agencies and Microsoft presents a grave and unacceptable risk to agencies."

In order to mitigate said risk, CISA ordered U.S. government agencies affected by the breach to take immediate action to remediate cryptographic information such as passwords or API keys known or suspected to be compromised; fully analyze agency correspondence with compromised Microsoft corporate email accounts; and notify CISA in the event that a compromise is known or suspected. Agencies were told to notify CISA by end of day on April 8 and to provide a status update by end of day on May 1.

According to the directive, Microsoft will provide metadata for emails with cryptographic secrets to agencies with exposures, as well as metadata for any correspondence with federal agencies upon request by the National Cyber Investigative Joint Task Force. CISA, meanwhile, will support affected agencies with technical and analytical assistance as needed.

While the directive's requirements only apply to FCEB agencies, CISA said other organizations might also have been affected by the Midnight Blizzard breach and encouraged customers to contact their respective Microsoft account representatives for guidance.

In a Thursday CISA press briefing call, CISA Executive Assistant Director for Cybersecurity Eric Goldstein said, "At this time, we are not aware of any agency production environments that have experienced a compromise as a result of credential exposure."

A Microsoft spokesperson shared the following statement with TechTarget Editorial.

"As we shared in our March 8 blog, as we discover secrets in our exfiltrated email, we are working with our customers to help them investigate and mitigate," the spokesperson said. "This includes working with CISA on an emergency directive to provide guidance to government agencies."

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.