CISA emergency directive tells agencies to fix credentials after Microsoft breach

The Cybersecurity and Infrastructure Security Agency published an emergency directive Thursday in response to a Russian intelligence-linked hacking campaign that breached Microsoft, telling affected federal civilian agencies whose emails were stolen or passwords accessed to reset authentication credentials.

CISA’s directive comes in the week after CyberScoop first reported its existence.

“Microsoft and CISA have notified all federal agencies whose email correspondence with Microsoft was identified as exfiltrated by Midnight Blizzard,” the directive reads, referring to Microsoft’s name for the hacking group. “In addition, Microsoft has represented to CISA that for the subset of affected agencies whose exfiltrated emails contain authentication secrets, such as credentials or passwords, Microsoft will provide metadata for such emails to those agencies.

“Midnight Blizzard’s successful compromise of Microsoft corporate email accounts and the exfiltration of correspondence between agencies and Microsoft presents a grave and unacceptable risk to agencies,” it continues.

The directive, dated April 2, tells affected agencies to “take immediate remediation action” on authentication credentials if those credentials are known or suspected to have been compromised. It gives them until April 30 to reset credentials for related applications, and by the same deadline orders them to identify affected email correspondence.

The agencies also must report to CISA on their activities in response to the directive. The first deadline of April 8 has already passed; the next is May 1.

Agencies are showing “the right level of urgent remediation” in response to the directive, Eric Goldstein, CISA’s executive assistant director for cybersecurity, said in a briefing with reporters Thursday. Goldstein said CISA would not disclose the number of agencies affected.

Goldstein acknowledged that passing credentials between federal agencies and Microsoft via email created a security liability. 

“Without speaking to the breadth of potential use cases that might be at issue here, it is at times the case that authentication credentials may be shared as part of troubleshooting and might be shared as part of a code snippet between organizations in order to fix or remediate an issue or bug,” he said. “That is certainly not a best practice and is one that does associate with a significant degree of risk.”

A CISA spokesperson said the agency is working closely with the FBI to respond to the incident.

Midnight Blizzard is alternately known as Cozy Bear and APT29. Among the highest-profile attacks that governments and cyber companies have attributed to the group was the attack on the firm SolarWinds that surfaced in 2020 — an attack that the federal government said impacted nine federal agencies.

“The threat actor is using information initially exfiltrated from the corporate email systems, including authentication details shared between Microsoft customers and Microsoft by email, to gain, or attempt to gain, additional access to Microsoft customer systems,” the directive states. “According to Microsoft, Midnight Blizzard has increased the volume of some aspects of the intrusion campaign, such as password sprays, by as much as 10-fold in February, compared to an already large volume seen in January 2024.”

CISA has published one full emergency directive in 2024 and added to it twice with supplemental material; all of those documents deal with Ivanti product vulnerabilities.

While CISA’s emergency directives and less-urgent binding operational directives apply only to federal agencies, the private sector often watches them closely to take cues on security steps that industry should also follow.

“This Emergency Directive requires immediate action by agencies to reduce risk to our federal systems,” CISA Director Jen Easterly said in a statement. “For several years, the U.S. government has documented malicious cyber activity as a standard part of the Russian playbook; this latest compromise of Microsoft adds to their long list. We will continue efforts in collaboration with our federal government and private sector partners to protect and defend our systems from such threat activity.”

Goldstein said CISA isn’t currently aware of “any agency or any agency production environments that have experienced a compromise as a result of credential exposure.”

While Microsoft first disclosed the Midnight Blizzard campaign in January, Goldstein said the company has undertaken an “ongoing” analysis “to identify specific authentication credentials that may have been exposed.”

This story was updated April, 11, 2024 with comments from CISA’s Eric Goldstein and a CISA spokesperson.