On April 11, the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive in response Midnight stormaka Cozy Bear, a Russian state-sponsored criminal group that has targeted Microsoft email accounts in its latest campaign.
The group is extracting information from Microsoft business email systems to gain access to Microsoft customer systems. Microsoft and CISA have already ascertained which companies’ correspondence has been stolen so far and have informed them accordingly.
“The initial entry vector for the Midnight Blizzard attack was a Microsoft 365 password spray,” said John Fokker, head of threat intelligence at Trellix, in an emailed statement. Trellix researchers observed more than 120 such attacks in the first quarter of the year alone.
The CISA directive was initially issued exclusively to federal agencies on April 2. It required agencies to observe and analyze Microsoft email accounts to determine if they had been affected, reset compromised credentials, and protect any privileged Microsoft Azure accounts.
These requirements only apply to Federal Civilian Executive Branch (FCEB) agencies, as they appear to be the primary focus of Midnight Blizzard. But CISA notes that other organizations may also have been contacted and should seek assistance.
“Regardless of direct impact, all organizations are strongly encouraged to apply rigorous security measures, including strong passwords, multi-factor authentication (MFA), and prohibited sharing of unprotected sensitive information through unsecured channels,” CISA said in his statement.
Jen Easterly, director of CISA, also noted that this compromise of Microsoft is just the latest malicious cyber activity in the Russian program and that the emergency directive is intended to ensure that federal civilian agencies’ networks and systems are secure.