In response to a cyber campaign by the Russian state-sponsored hacker group Midnight Blizzard targeting Microsoft corporate email accounts, the US Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive (ED) 24-02.
Initially issued to federal agencies on 2 April, this directive aims to address the potential compromise of correspondence with federal civilian executive branch (FCEB) agencies due to the campaign. The directive remains effective until CISA confirms the agencies' completion of all required actions or is terminated through other appropriate means.
Earlier this year, Microsoft reported that the Russian state-sponsored hacking group Midnight Blizzard, also known as Nobelium, had compromised corporate email accounts. The compromised data includes authentication details, which the threat actor uses to gain additional access to Microsoft customer systems.
dig.watchMicrosoft alerts of ongoing hacking attempt by Russian groupMidnight Blizzard hacked into Microsoft's corporate email systems in January, stealing emails and documents. 8 Mar 2024 dig.watchMicrosoft alerts of ongoing hacking attempt by Russian groupMidnight Blizzard hacked into Microsoft's corporate email systems in January, stealing emails and documents. 8 Mar 2024The volume of intrusion activities, such as password sprays, significantly increased in February 2024 compared to January.
Recognising the risk from this threat actor, ED 24-02 mandates federal agencies to analyse exfiltrated emails, reset compromised credentials, and secure privileged Microsoft Azure accounts. CISA oversees adherence to this directive and provides support and additional resources. While the directive targets Federal Civilian Executive Branch (FCEB) agencies, other organisations impacted by the exfiltration are encouraged to enhance security measures.
Agencies receiving metadata corresponding to authentication compromises from Microsoft must take immediate remediation action. They are required to reset credentials, deactivate unnecessary applications, and review account activity logs for potential malicious activities. Agencies must also identify the content of correspondence with compromised Microsoft accounts and conduct a cybersecurity impact analysis, with notifications provided to CISA.
The directive specifies reporting requirements for agencies to update CISA on their progress. CISA, in turn, assists agencies in accessing and analysing email content and continues efforts to identify and mitigate threats associated with Midnight Blizzard. A comprehensive report on cross-agency status and outstanding issues is scheduled for submission to relevant authorities by 1 September.