The Cybersecurity and Infrastructure Security Agency is working with Microsoft to investigate and mitigate Midnight Blizzard’s potential impacts on federal agencies. The Russia-linked threat group hacked into senior Microsoft executives’ accounts starting in late November and could pose a larger threat to federal agencies.
“As shared in our March 8 blog, as we discover secrets in our exfiltrated email we are working with our customers to help them investigate and mitigate any impacts,” a Microsoft spokesperson said Thursday via email. “This includes working with CISA on an emergency directive to provide guidance to government agencies.”
CISA issued an emergency directive to federal agencies earlier this week on how to mitigate the potential threat from Midnight Blizzard, CyberScoop reported. But the agency has not yet made the directive public.
CISA officials did not comment on any directive, but confirmed to Cybersecurity Dive it’s working with Microsoft on how to respond to the threat.
“CISA continues to provide guidance to Federal Civilian Executive Branch agencies regarding actions to secure accounts potentially placed at risk through the Midnight Blizzard campaign disclosed by Microsoft in January 2024,” a CISA spokesperson said via email. “We are working closely with Microsoft to understand the risks to federal agencies and the broader ecosystem in order to provide necessary guidance and information.”
The elevated concern follows a blistering report from the Cyber Safety Review Board, which investigated Microsoft’s handling of the summer 2023 attack of Microsoft Exchange. That attack allowed a separate state linked threat group, identified as Storm-0558, to gain access to the accounts of 22 Microsoft customers and steal tens of thousands of emails from the U.S. State Department.
The CSRB report concluded the attack was “preventable and should never have occurred,” and it slammed Microsoft for subpar security practices and risk management.
After encountering significant government backlash from those attacks, Microsoft in November announced plans to overhaul its internal security practices in a plan called the Secure Future Initiative.
Microsoft previously warned that Midnight Blizzard was attempting to abuse “secrets” it gained access to from the original attack disclosed in January. Some of those secrets were shared over email between Microsoft and its customers.
In a March update, Microsoft said Midnight Blizzard had increased the volume of some of its threat activity, including password sprays, by as much as tenfold from January to February.
Midnight Blizzard, previously known as Nobelium, is the threat group attributed as the hackers behind the 2020 Sunburst campaign, which included a supply chain attack against SolarWinds customers.
Midnight Blizzard was also exploiting critical vulnerabilities in JetBrains TeamCity applications by mid-December.
Hewlett Packard Enterprise disclosed in a January filing with the Securities Exchange Commission that Midnight Blizzard gained access to its environment and stole data from a small percentage of company inboxes and a limited number of SharePoint files.