The US Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive (ED 24-02) on Thursday calling on federal agencies to look for signs of compromise and implement preventative measures following the recent compromise of Microsoft systems that led to the theft of email correspondence with the company.
The attack, which came to light earlier this year, was attributed to a Russian state group known as Midnight Blizzard (also known as APT29 or Cozy Bear). Last month, Microsoft revealed that the attacker gained access to some of its source code repositories, but noted that there was no evidence of a breach of customer-facing systems.
The emergency directive, originally issued privately to federal agencies on April 2, was first reported by CyberScoop two days later.
“The threat actor uses information initially exfiltrated from corporate email systems, including authentication details shared between Microsoft customers and Microsoft via email, to gain, or attempt to gain, further access to Microsoft customer systems “CISA said.
The agency said the theft of email correspondence between government agencies and Microsoft poses serious risks, urging affected parties to analyze the contents of stolen emails, reset compromised credentials, and take additional steps to ensure that Authentication tools for Microsoft Azure privileged accounts are secure.
It is currently unclear how many federal agencies had their email exchanges exfiltrated following the incident, although CISA said all had been notified.
The agency also urges covered entities to perform a cybersecurity impact analysis by April 30, 2024, and to provide a status update by May 1, 2024, at 11:59 p.m. Other organizations affected by the breach are advised to contact their respective Microsoft accounts. team for any additional questions or follow-ups.
“Regardless of direct impact, all organizations are strongly encouraged to apply rigorous security measures, including strong passwords, multi-factor authentication (MFA), and prohibited sharing of unsecured sensitive information through unsecured channels,” CISA said.
The development comes as CISA released a new version of its malware analysis system, called Malware Next-Gen, which allows organizations to submit malware samples (anonymously or otherwise) and other suspicious artifacts for analysis.