April 11, 2024 at 04:36PM
CISA issued an emergency directive for federal agencies to search for signs of a Russian APT that breached Microsoft’s network. The directive requires analysis of compromised emails, resetting of credentials, and securing of Azure accounts. CISA and Microsoft notified affected federal agencies and agreed to provide metadata. The breach follows a previous Chinese cyberspy incident.
Key takeaways from the meeting notes:
1. The US cybersecurity agency CISA has issued an emergency directive mandating federal agencies to search for signs of a Russian APT that breached Microsoft’s network and obtained sensitive information from US government agencies.
2. The directive requires federal agencies to analyze exfiltrated emails, reset compromised credentials, and ensure the security of authentication tools for privileged Microsoft Azure accounts.
3. CISA stated that the compromise of Microsoft corporate email accounts by the ‘Midnight Blizzard’ threat actor poses a significant risk to agencies and is unacceptable.
4. The agency warned that Russian government-backed hackers are leveraging exfiltrated information to gain additional access to Microsoft customer systems.
5. Microsoft has agreed to provide metadata for exfiltrated federal agency correspondence and emails containing authentication secrets to affected agencies and the NCIJTF.
6. Earlier this year, Microsoft revealed that the ‘Midnight Blizzard’ threat actor used a password spray attack to access a small percentage of corporate email accounts and exfiltrated emails and documents.
7. The discovery of Russian hackers in Microsoft’s network follows an incident involving Chinese cyberspies using forged authentication tokens to breach M365 email inboxes.
8. The Cyber Security Review Board issued a report criticizing Microsoft’s security culture and called for an overhaul in response to the intrusion that allowed the theft of email data from government organizations.
These key takeaways summarize the urgency of the situation, the actions being taken by CISA and Microsoft, and the broader security implications for federal agencies and Microsoft customers.