CISA Publishes ‘Emergency’ Order On Microsoft Breach By Russian Group, Confirms Stolen Emails

The U.S. cybersecurity agency says that emails were stolen from federal agencies in connection with the compromise of Microsoft’s corporate email system by the nation-state threat actor known as Midnight Blizzard.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published its recently issued emergency directive Thursday, which confirmed that a Russian state-sponsored hacker group was able to steal emails from federal agencies in connection with the breach of Microsoft executive accounts.

The threat actor, known as Midnight Blizzard, has been associated with Russia’s SVR foreign intelligence unit by the U.S. government.

[Related: Microsoft: Midnight Blizzard Attempting To Exploit Customer ‘Secrets’]

Through the compromise of Microsoft corporate email accounts, Midnight Blizzard has “exfiltrated email correspondence between Federal Civilian Executive Branch (FCEB) agencies and Microsoft,” CISA said in the emergency directive.

“The threat actor is using information initially exfiltrated from the corporate email systems, including authentication details shared between Microsoft customers and Microsoft by email, to gain, or attempt to gain, additional access to Microsoft customer systems,” CISA said in the directive.

The emergency directive orders federal agencies to “immediately mitigate” the “significant risk” posed by the threat actor, including through analyzing the content of stolen emails and resetting credentials.

The breach was first disclosed by Microsoft in January and is believed to have begun in November. The compromise was initially believed to have affected members of the tech giant’s senior leadership team as well as employees on its cybersecurity and legal teams.

In an update on the incident in early March, Microsoft disclosed that Midnight Blizzard had been observed continuing to seek to exploit information gathered in the attack. The threat group has previously been held responsible for attacks including the widely felt 2020 breach of SolarWinds.

‘Immediate Action’

The emergency directive is dated April 2 and was previously confirmed by Microsoft in a statement to CRN. The existence of the directive was first reported by Scoop News Group.

The directive “requires immediate action by agencies to reduce risk to our federal systems,” CISA Director Jen Easterly said in a news release.

“For several years, the U.S. government has documented malicious cyber activity as a standard part of the Russian playbook,” Easterly said. “This latest compromise of Microsoft adds to their long list.”

The directive follows the recent blistering report about Microsoft’s security culture and practices issued by the U.S. Homeland Security-appointed Cyber Safety Review Board.

Earlier this month, the board released a 34-page report on last year’s Microsoft Exchange Online breach, which was linked to China and impacted multiple federal agencies and officials including Commerce Secretary Gina Raimondo. The review board pinned the cloud email breach on a “cascade of Microsoft’s avoidable errors.”

In the Midnight Blizzard attack, meanwhile, Microsoft confirmed in late January that hackers initially gained access by exploiting a lack of multifactor authentication on a “legacy” account.