The Cybersecurity and Infrastructure Security Agency (CISA) publicly issued an emergency directive today calling on Federal agencies to take immediate action to reset authentication credentials following a breach of Microsoft corporate email accounts by Russian state-sponsored cyber actor Midnight Blizzard.
CISA initially sent the emergency directive to Federal agencies on April 2 and publicly released it on Thursday.
The directive is only applicable to affected agencies, requiring them to analyze potentially affected emails and reset any compromised authentication credentials. CISA and Microsoft have contacted all affected Federal agencies whose emails have been identified as compromised thus far.
Eric Goldstein, CISA’s executive assistant director for cybersecurity, told reporters today that CISA would not be releasing the number of affected Federal agencies, as Microsoft’s investigation is ongoing.
“This Emergency Directive requires immediate action by agencies to reduce risk to our Federal systems,” CISA Director Jen Easterly said in a statement. “For several years, the U.S. government has documented malicious cyber activity as a standard part of the Russian playbook; this latest compromise of Microsoft adds to their long list. We will continue efforts in collaboration with our Federal government and private sector partners to protect and defend our systems from such threat activity.”
According to Goldstein, Microsoft found that some of the compromised email accounts potentially contained authentication details, such as usernames and passwords or authentication tokens.
Goldstein said sharing authentication credentials via email is “certainly not a best practice and is one that does associate with a significant degree of risk.” However, he said agencies may have shared them via email as part of a troubleshooting ticket or as part of a code snippet between organizations to fix a bug.
The emergency directive gives agencies until April 30 to reset credentials for related applications and to “review sign in, token issuance, and other account activity logs for users and services whose credentials were suspected or observed as compromised.”
The agencies are also required to provide CISA with a status update in response to the directive – the first deadline of April 8 has already passed, and the next deadline is May 1.
“Agencies have moved with extraordinary urgency to remediate any instances of potentially exposed credentials. This is something that every agency takes very seriously,” Goldstein said. “Agencies have undertaken the right level of urgent remediation pursuant to this directive.”
Notably, Goldstein emphasized that this incident is “unrelated” to the summer 2023 Microsoft Exchange Online intrusion. That incident made news last week after the Cyber Safety Review Board (CSRB) issued a report that attributed the success of the China-based hack to “a cascade of security failures at Microsoft” and an “inadequate” security culture at the company.
In its report, the CSRB concludes that the China-based hack – which compromised the email accounts of several U.S. government officials, including Commerce Secretary Gina Raimondo – “was preventable and should never have occurred.”
“CISA, as part of our broad effort to drive adoption of secure-by-design practices and enable the security of the Federal civilian government, is working closely with Microsoft as part of their continued investment to advance security across their products and services,” Goldstein said today.
“As we discover secrets in our exfiltrated email, we are working with our customers to help them investigate and mitigate. This includes working with CISA on an emergency directive to provide guidance to government agencies,” a Microsoft spokesperson told MeriTalk.
