CISA Issues Emergency Directive After Midnight Blizzard Microsoft Hits

The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive in response on April 11 to Midnight Blizzard, aka Cozy Bear, a Russian state-sponsored threat actor targeting Microsoft email accounts in its latest campaign.

The group is exfiltrating information from Microsoft corporate email systems to gain access to Microsoft customer systems. Microsoft and CISA have already determined which companies' correspondence has been exfiltrated so far and notified them accordingly.

"The initial access vector for the Midnight Blizzard attack was a Microsoft 365 password spray," said John Fokker, head of threat intelligence at Trellix, in an emailed statement. Researchers at Trellix have observed more than 120 of these kind of attacks in the first quarter of the year alone.

CISA's directive initially was issued solely to federal agencies on April 2. It required agencies to observe and analyze Microsoft email accounts to determine if they had been affected, reset compromised credentials, and secure any privileged Microsoft Azure accounts.

These requirements apply only to Federal Civilian Executive Branch (FCEB) agencies, since they seem to be Midnight Blizzard's biggest target. But CISA notes other organizations may also have been contacted and should seek assistance.

"Regardless of direct impact, all organizations are strongly encouraged to apply stringent security measures, including strong passwords, multifactor authentication (MFA), and prohibited sharing of unprotected sensitive information via unsecure channels," CISA said in its statement.

Jen Easterly, CISA's director, also noted that this Microsoft compromise is just the latest malicious cyber activity in the Russian playbook, and that the emergency directive is intended to ensure that the networks and systems of federal civilian agencies are secure.