The Cybersecurity and Infrastructure Security Agency has released an emergency directive requiring federal agencies to analyze the content of potentially affected emails and reset any compromised credentials to help mitigate the risks posed by Russian state-sponsored cyberthreat actor called Midnight Blizzard.
The directive issued to agencies on April 2 calls for agencies to take additional measures to ensure authentication platforms for privileged Microsoft Azure accounts are secure, CISA said Thursday.
According to the document, Midnight Blizzard has exfiltrated email correspondence between federal civilian executive branch agencies and Microsoft through a compromise of Microsoft corporate email accounts.
The threat actor works to gain additional access to Microsoft customer systems by using information initially exfiltrated from corporate email systems.
“This Emergency Directive requires immediate action by agencies to reduce risk to our federal systems,” said CISA Director Jen Easterly.
“For several years, the U.S. government has documented malicious cyber activity as a standard part of the Russian playbook; this latest compromise of Microsoft adds to their long list. We will continue efforts in collaboration with our federal government and private sector partners to protect and defend our systems from such threat activity,” added Easterly, a 2024 Wash100 awardee.
CISA and Microsoft have informed all affected federal agencies whose email correspondence with the company was identified as exfiltrated by the threat actor.
In late February, the National Security Agency and international partners issued a joint advisory detailing the tactics, techniques and procedures used by Russian foreign intelligence service, or SVR, cyber actors to compromise cloud-hosted networks.
Join the Potomac Officers Club’s 2024 Cyber Summit on June 6 and hear cyber experts, government and industry leaders discuss the latest trends and the dynamic role of cyber in the public sector. Register here.