CISA emergency directive tells agencies to fix credentials after Microsoft breach
The Cybersecurity and Infrastructure Security Agency published an emergency directive Thursday in response to a Russian intelligence-linked hacking campaign that breached Microsoft, telling affected federal civilian agencies whose emails were stolen or passwords accessed to reset authentication credentials.
CISA’s directive comes in the week after CyberScoop first reported its existence.
“Microsoft and CISA have notified all federal agencies whose email correspondence with Microsoft was identified as exfiltrated by Midnight Blizzard,” the directive reads, referring to Microsoft’s name for the hacking group. “In addition, Microsoft has represented to CISA that for the subset of affected agencies whose exfiltrated emails contain authentication secrets, such as credentials or passwords, Microsoft will provide metadata for such emails to those agencies.
“Midnight Blizzard’s successful compromise of Microsoft corporate email accounts and the exfiltration of correspondence between agencies and Microsoft presents a grave and unacceptable risk to agencies,” it continues.
The directive, dated April 2, tells affected agencies to “take immediate remediation action” on authentication credentials if those credentials are known or suspected to have been compromised. It gives them until April 30 to reset credentials for related applications, and by the same deadline orders them to identify affected email correspondence.
The agencies also must report to CISA on their activities in response to the directive. The first deadline of April 8 has already passed; the next is May 1.
Midnight Blizzard is alternately known as Cozy Bear and APT29. Among the highest-profile attacks that governments and cyber companies have attributed to the group was the attack on the firm SolarWinds that surfaced in 2020 — an attack that the federal government said impacted nine federal agencies.
“The threat actor is using information initially exfiltrated from the corporate email systems, including authentication details shared between Microsoft customers and Microsoft by email, to gain, or attempt to gain, additional access to Microsoft customer systems,” the directive states. “According to Microsoft, Midnight Blizzard has increased the volume of some aspects of the intrusion campaign, such as password sprays, by as much as 10-fold in February, compared to an already large volume seen in January 2024.”
CISA has published one full emergency directive in 2024 and added to it twice with supplemental material; all of those documents deal with Ivanti product vulnerabilities.
While CISA’s emergency directives and less-urgent binding operational directives apply only to federal agencies, the private sector often watches them closely to take cues on security steps that industry should also follow.
“This Emergency Directive requires immediate action by agencies to reduce risk to our federal systems,” CISA Director Jen Easterly said in a statement. “For several years, the U.S. government has documented malicious cyber activity as a standard part of the Russian playbook; this latest compromise of Microsoft adds to their long list. We will continue efforts in collaboration with our federal government and private sector partners to protect and defend our systems from such threat activity.”