The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an Emergency Directive following the discovery that Russian espionage operatives, known as Midnight Blizzard or Cozy Bear, infiltrated Microsoft's email system. The breach, which was first reported earlier this year, allowed the hackers to access and exfiltrate sensitive data, including email correspondences between Federal Civilian Executive Branch (FCEB) agencies and Microsoft. The stolen data encompasses authentication details, which are reportedly being used in attempts to access further systems.
Details of the Breach and Immediate Actions Required
Upon detection of the breach, CISA's Emergency Directive ED 24-02 mandates federal agencies to conduct a thorough review of the compromised emails, reset any exposed credentials, and bolster the security of authentication tools, particularly for privileged Microsoft Azure accounts. Agencies are required to report their initial findings by April 8, with a subsequent update due by May 1, followed by weekly updates on remediation efforts until the issue is fully resolved. Microsoft has committed to providing affected agencies with metadata related to the exfiltrated emails, aiding in the identification and mitigation of potential security risks.
Implications and Responses
The breach not only signifies a major cybersecurity threat but also casts a shadow over Microsoft's security practices. Critics, including Amit Yoran, chairman and CEO of Tenable, have voiced concerns to The Register over Microsoft's handling of the incident, suggesting that the company's “lackadaisical security practices and negligent approach to disclosure” pose a national security risk. The escalation of intrusion attempts by Midnight Blizzard, notably through password spraying attacks which reportedly increased tenfold in February compared to January, underscores the persistent threat posed by the group.
In response to the breach, CISA plans to compile a comprehensive report by September 1, detailing the cross-agency status and any outstanding issues. This report will be submitted to the Secretary of Homeland Security and the Director of the Office of Management and Budget, with a copy also provided to the National Cyber Director. The incident highlights the ongoing challenges in cybersecurity and the need for vigilant security practices among federal agencies and their private sector partners.