Priya Patel
TLDR:
- CISA issued an emergency directive in response to Midnight Blizzard, a Russian state-sponsored threat actor targeting Microsoft email accounts.
- The directive requires Federal Civilian Executive Branch (FCEB) agencies to reset compromised credentials and secure privileged Microsoft Azure accounts.
The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive on April 11 in response to Midnight Blizzard, also known as Cozy Bear, a Russian state-sponsored threat actor targeting Microsoft email accounts. This latest campaign involves exfiltrating information from Microsoft corporate email systems to gain access to Microsoft customer systems. Research by Trellix has observed over 120 of these attacks in the first quarter of the year.
The directive initially focused on Federal Civilian Executive Branch (FCEB) agencies and required them to observe and analyze Microsoft email accounts, reset compromised credentials, and secure privileged Microsoft Azure accounts. Even though the targets seem to be primarily FCEB agencies, CISA encourages all organizations to enhance their security measures. This includes implementing strong passwords, multifactor authentication (MFA), and refraining from sharing sensitive information through unsecure channels.
Jen Easterly, CISA’s director, highlighted that this Microsoft compromise is just the latest in a series of malicious cyber activities orchestrated by the Russian playbook. The emergency directive aims to ensure the secure networks and systems of federal civilian agencies. Additionally, Microsoft and CISA have identified the companies whose correspondence has been exfiltrated and have notified them accordingly.
