Heimdal
article featured image

Contents:

A new emergency directive from CISA requires U.S. federal agencies to address the risks associated with the Russian hacking group APT29’s compromise of several Microsoft business email accounts.

On April 2, Federal Civilian Executive Branch (FCEB) agencies received Emergency Directive 24-02. They must look into potentially impacted emails, reset any compromised passwords, and take precautions to safeguard sensitive Microsoft Azure accounts.

Back in January this year, Russian threat group APT29 (a.k.a. Midnight Blizzard and NOBELIUM) breached Microsoft’s corporate email servers after a password spray attack that led to the compromise of a legacy non-production test tenant account.

As per CISA, information stolen from Microsoft’s corporate email systems, including authentication data exchanged via email between Microsoft and its clients, is currently being used by Russian Foreign Intelligence Service (SVR) agents to access specific customer systems.

CISA’s director, Jen Easterly had the following to say on Thursday:

This Emergency Directive requires immediate action by agencies to reduce risk to our federal systems. For several years, the U.S. government has documented malicious cyber activity as a standard part of the Russian playbook; this latest compromise of Microsoft adds to their long list… We will continue efforts in collaboration with our federal government and private sector partners to protect and defend our systems from such threat activity.

Jen Easterly, CISA Director (Source)

Federal Agencies Need to Act Fast

All federal agencies whose email conversations with Microsoft was found to have been compromised by Russian hackers have previously been notified by Microsoft and the U.S. cybersecurity agency. The release of the directive marks the first time the U.S. government confirmed that federal agency emails were exfiltrated in the January Microsoft Exchange breaches.

CISA ordered affected agencies to identify the full content of their correspondence with the compromised accounts and perform a cybersecurity impact analysis by April 30, 2024.

According to the release, those who detect signs of authentication compromises are required to:

  1. Take immediate remediation action for tokens, passwords, API keys, or other authentication credentials known or suspected to be compromised.
  2. For any known or suspected authentication compromises identified through action 1 by April 30, 2024:
    • Reset credentials in associated applications and deactivate associated applications that are no longer of use to the agency.
    • Review sign-in, token issuance, and other account activity logs for users and services whose credentials were suspected or observed as compromised for potential malicious activity.

While FCEB agencies are the only organisations subject to ED 24-02 rules, other organisations may also be affected by the compromise of Microsoft corporate accounts. As such, such organisations are encouraged to consult with their respective Microsoft account teams for help.

Regardless of the consequences, all organisations must implement stringent security procedures, such as creating strong passwords, turning on multi-factor authentication (MFA) wherever it is practical, and abstaining from sending confidential information via exposed channels.

If you liked this piece, follow us on LinkedInTwitterFacebook, and YouTube for more cybersecurity news and topics.

Author Profile

Cristian Neagu

CONTENT EDITOR

linkedin icon

Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE