CISA directs agencies to investigate if Russian hackers stole Microsoft account details

The Cybersecurity and Infrastructure Security Agency has directed multiple federal agencies to scrub their Microsoft accounts for signs of compromise after Russia-linked hackers potentially accessed agency passwords and other sensitive log-in details.

In an emergency directive publicly released today, CISA said multiple federal agencies had their email correspondence with Microsoft stolen by the Russian state-sponsored group “Midnight Blizzard.” CISA said the stolen emails pose a “grave” risk to the federal government.

The group gained access to sensitive agency information by compromising Microsoft’s corporate email accounts starting in January. The hackers are now trying to use the information in those stolen emails, which include authentication details, to gain additional access to Microsoft customer systems, CISA said.

“Agencies have moved with extraordinary urgency to remediate any instances of potentially exposed credentials. This is something that every agency takes very seriously,” CISA Executive Assistant Director for Cybersecurity Eric Goldstein said in a call with reporters today. “And so working with CISA, agencies have undertaken the right level of urgent remediation pursuant to this directive.”

The emergency directive was first sent to agencies on April 2.  CyberScoop first reported on the existence of the emergency directive.

Goldstein declined to say how many agencies have had their emails stolen in the breach, noting that Microsoft’s investigation is ongoing and the number could change. “That analysis is ongoing,” he said.

But Goldstein said CISA is not aware of any agencies having their production systems compromised as a result of stolen credentials connected to the Midnight Blizzard hack.

Microsoft has identified a “subset” of affected agencies where the hackers may have accessed emails containing sensitive authentication data, such as credentials or passwords. The emergency directive requires those agencies to take “immediate remediation action for tokens, passwords, API keys, or other authentication credentials known or suspected to be compromised.”

They then have until April 30 to reset credentials in associated applications and deactivate associated applications that are no longer in use.

CISA has directed all other affected agencies to “take steps to identify the full content of the agency correspondence with compromised Microsoft accounts and perform a cybersecurity impact analysis.”

Goldstein acknowledged that the sharing of passwords and authentication details via email is not a “best practice.”

“Without speaking to the breadth of potential use cases, that might be at issue here, it is at times the case that authentication credentials may be shared as part of a troubleshooting ticket, might be shared as part of a code snippet between organizations in order to fix or remediate an issue or bug,” Goldstein said. “That is certainly not a best practice and is one that does associate with a significant degree of risk.”

The emergency directive comes little more than a week after a report by the Cyber Safety Review Board slammed Microsoft for its “inadequate” security culture. The review board said Microsoft’s lax security practices were to blame for the summer 2023 Microsoft Exchange Online intrusion.

The CSRB report also took note of the Midnight Blizzard compromises. Since first reporting the intrusions in January, Microsoft has recently said the hackers also gained access to some of Microsoft’s source code repositories and internal systems.

“While this second intrusion was outside of the scope of the board’s current review, the board is troubled that this new incident occurred months after the Exchange Online compromise covered in this review,” the CSRB wrote. “This additional intrusion highlights the board’s concern that Microsoft has not yet implemented the necessary governance or prioritization of security to address the apparent security weaknesses and control failures within its environment and to prevent similar incidents in the future.”

Microsoft has come under fire from some outside commenters and at least one lawmaker, Sen. Ron Wyden (D-Ore.), as a result of the CSRB report.

Commenting today on CISA’s emergency directive, Roger Cressey, a former senior national security official in the Clinton and Bush administrations, criticized Microsoft’s security practices.

“Microsoft continues to be exploited by Russia and China because the products Microsoft supplies to the U.S. government repeatedly fail the security test,” Cressey said. “The CSRB in its recent report made clear Microsoft’s security failures are posing a threat to our national security. The federal government needs to take decisive action now to compel Microsoft to change its behavior.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.