CISA issues Emergency Directive 24-02 in response to Russian cyber threat targeting Microsoft email accounts

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) publicly issued Emergency Directive (ED) 24-02 in response to a cyber campaign by the Russian state-sponsored hacker group Midnight Blizzard. The campaign targeted Microsoft corporate email accounts, potentially gaining access to correspondence with federal civilian executive branch (FCEB) agencies. The Directive was first issued to federal agencies on Apr. 2, considering the current threat information available and the limited applicability of relevant actions, which depend on Microsoft’s notification of exposed credentials. 

ED 24-02 will remain in effect until CISA determines that agencies have performed all required actions from this directive, or the directive is terminated through other appropriate action.

Microsoft has disclosed this year that the Midnight Blizzard cyber threat group, backed by the Russian state, has extracted email communications between Federal Civilian FCEB agencies and Microsoft by compromising Microsoft corporate email accounts. Microsoft has disclosed details of the incident and subsequent updates through various communications since January 2024.

“The threat actor is using information initially exfiltrated from the corporate email systems, including authentication details shared between Microsoft customers and Microsoft by email, to gain, or attempt to gain, additional access to Microsoft customer systems,” according to ED 24-02. “According to Microsoft, Midnight Blizzard has increased the volume of some aspects of the intrusion campaign, such as password sprays, by as much as 10-fold in February, compared to an already large volume seen in January 2024.”

ED 24-02 added that Midnight Blizzard’s compromise of Microsoft corporate email accounts and the exfiltration of correspondence between agencies and Microsoft presents a grave and unacceptable risk to agencies. “This Emergency Directive requires agencies to analyze the content of exfiltrated emails, reset compromised credentials, and take additional steps to ensure authentication tools for privileged Microsoft Azure accounts are secure.”

Midnight Blizzard is using information initially exfiltrated from Microsoft corporate email systems, including authentication details shared between Microsoft customers and Microsoft by email, to gain, or attempt to gain, additional access to certain Microsoft customer systems. 

Microsoft and CISA have notified all federal agencies whose email correspondence with Microsoft was identified as exfiltrated by Midnight Blizzard. Furthermore, Microsoft has represented to CISA that for the subset of affected agencies whose exfiltrated emails contain authentication secrets, such as credentials or passwords, Microsoft will provide metadata for such emails to those agencies.

Finally, Microsoft has agreed to provide metadata for all exfiltrated federal agency correspondence—regardless of the presence of authentication secrets—upon the request of the National Cyber Investigative Joint Task Force (NCIJTF), which has volunteered to be the single federal point of contact for this incident.

“As America’s cyber defense agency and the operational lead for federal civilian cybersecurity, ensuring that federal civilian agencies are taking all necessary steps to secure their networks and systems is among our top priorities. This Emergency Directive requires immediate action by agencies to reduce risk to our federal systems,” Jen Easterly, CISA director, said in a media statement. “For several years, the U.S. government has documented malicious cyber activity as a standard part of the Russian playbook; this latest compromise of Microsoft adds to their long list. We will continue efforts in collaboration with our federal government and private sector partners to protect and defend our systems from such threat activity.”

Identifying that Midnight Blizzard’s successful compromise of Microsoft corporate email accounts and the exfiltration of correspondence between agencies and Microsoft presents a grave and unacceptable risk to agencies, ED 24-02 requires agencies to analyze the content of exfiltrated emails, reset compromised credentials, and take additional steps to ensure authentication tools for privileged Microsoft Azure accounts are secure. CISA has assessed appropriate actions to understand and mitigate the risk posed by Midnight Blizzard’s possession of the exfiltrated correspondence between FCEB agencies and Microsoft.

The Directive mandates agencies to assess potentially impacted emails, reset any compromised credentials, and implement further measures to enhance the security of privileged Microsoft Azure accounts. As federal civilian agencies implement this mandate, CISA will assess and support agency adherence and provide additional resources as required. CISA is committed to using its cybersecurity authorities to gain greater visibility and drive timely risk reduction across federal civilian agencies.

While ED 24-02 requirements apply only to FCEB agencies, other organizations may also have been impacted by the exfiltration of Microsoft corporate accounts and are encouraged to contact their respective Microsoft account team for guidance. Regardless of direct impact, all organizations are strongly encouraged to apply stringent security measures, including strong passwords, multifactor authentication (MFA), and prohibited sharing of unprotected sensitive information via insecure channels.

Affected agencies that receive from Microsoft email metadata corresponding to known or suspected authentication compromises or become aware of specific details of such compromises shall take immediate remediation action for tokens, passwords, API keys, or other authentication credentials known or suspected to be compromised. 

For any known or suspected authentication compromises identified above, by the end of this month, they must reset credentials in associated applications and deactivate associated applications that are no longer of use to the agency, and review sign-in, token issuance, and other account activity logs for users and services whose credentials were suspected or observed as compromised for potential malicious activity.

All affected agencies shall take steps to identify the full content of the agency correspondence with compromised Microsoft accounts and perform a cybersecurity impact analysis. This action shall be completed by the end of this month. For known or suspected authentication compromises identified through agency analysis, provide notification to CISA, who will work with agencies on an updated timeline for completing these required actions.

“Agencies shall report status to CISA across all required actions by 11:59 PM April 8, 2024, provide a status update to CISA by 11:59 PM May 1, 2024, and, as applicable, provide weekly updates on remediation actions for authentication compromises until completion,” ED 24-02 stipulated. “CISA will provide agencies with a reporting template and reporting instructions.”

On its part, CISA will provide agencies with instructions for accessing the content of agency emails and analyzing the content of the email. The agency will also continue efforts to identify instances and potential compromises associated with this threat activity, provide partner notifications, and will issue additional guidance and direction, as appropriate. It will provide technical assistance to agencies that are without internal capabilities sufficient to comply with this Directive.

By Sept. 1, this year, CISA will provide a report to the Secretary of Homeland Security and the Director of the Office of Management and Budget (OMB) identifying cross-agency status and outstanding issues. CISA will also provide a copy of the report to the National Cyber Director.

Last August, the Microsoft Threat Intelligence team identified highly targeted social engineering attacks using credential theft phishing lures sent as Microsoft Teams chats by the threat actor that the software giant tracks as Midnight Blizzard (previously tracked as Nobelium). This latest attack, combined with past activity, further demonstrates Midnight Blizzard’s ongoing execution of its objectives using both new and common techniques. 

It added that the organizations targeted in this activity likely indicate specific espionage objectives by Midnight Blizzard directed at government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.