Hackers from the Russian-backed Midnight Blizzard managed to obtain important emails from Microsoft. The attack led to the interception of communications between regulators and the tech company.
So concludes the U.S. Cybersecurity & Infrastructure Security Agency (CISA). The danger from the cyber incident, known since January, is great enough to now require an emergency directive. In addition, the number of Midnight Blizzard cyber attacks is increasing dramatically. In February, infiltration attempts by this group increased tenfold, including through password spray attacks.
When the Midnight Blizzard attack was announced, the email accounts of Microsoft executives were found to have been compromised. It forces CISA to spring into action other U.S. government agencies. The main goal is to prevent the Russian hackers from being able to strike again, this time at a government agency. In addition, it must become clear where the government can raise its security.
Damage assessment
CISA requires four steps to assess the impact of the cyber attack. First, all compromised and untrusted tokens, passwords, API keys and other authentication credentials must be eliminated. This applies to all entities identified by CISA as potential victims of the Midnight Blizzard infiltration of Microsoft email accounts.
Where organizations suspect that they have indeed been compromised, additional action is required. Credentials should be reset and a broader review process of sign-ins, distribution of tokens and other authentication means should occur.
All affected agencies should additionally inventory all correspondence involving compromised Microsoft accounts and notify CISA of this and all of the above steps as appropriate.
This initiative should make clear to the U.S. government what damage may have been suffered as a result of the Russian attack. The discussions between Microsoft and government agencies will be diverse in nature and potentially relevant to national security. After all, Microsoft products also target governments(pdf) and the company claims responsibility over sensitive information such as state secrets.
Consequences difficult to foresee
This CISA requirement seems a bit late, since it has been known for months that Microsoft had been attacked by Midnight Blizzard. Still, it must be said that it was mostly Microsoft that dawdled. Aside from ignoring the security best practices it recommends to others, Microsoft, on several occasions, chose to wait to notify CISA in such incidents. The U.S. Cyber Safety Review Board (CSRB) concluded in another attack (from China) that it was based on a “cascade of errors”.