The Russia-linked hackers behind the attack on Microsoft’s internal systems starting in late November stole credentials for federal agencies that could be used to compromise government departments, cyber authorities said Thursday.
The Cybersecurity and Infrastructure Security Agency issued an emergency directive on April 2, which it made public Thursday, requiring federal agencies to reset credentials and hunt for potential breaches or malicious activity. The deadline to report these actions to CISA was April 8.
“Agencies have moved with extraordinary urgency to remediate any instances of potentially exposed credentials,” Eric Goldstein, executive assistant director for cybersecurity at CISA, said Thursday during a media briefing. “At this time, we are not aware of any agency production environments that have experienced a compromise as a result of credential exposure.”
Microsoft and several federal agencies exchanged credentials via email, which created the unacceptable risk and exposure to a malicious group, according to CISA. Goldstein declined to say why the credentials were shared in these cases, but noted logins are sometimes shared as part of a troubleshooting ticket or as part of a code snippet to remediate an issue.
“That is certainly not a best practice and is one that does associate with a significant degree of risk,” Goldstein said.
The Russia state-sponsored threat group which Microsoft identifies as Midnight Blizzard, also known as APT29 or Cozy Bear, was still using secrets it stole from Microsoft’s systems in late November to gain or attempt to gain further access to the company’s infrastructure last month, the company said in a filing with the Securities and Exchange Commission.
The nation-state group was known as Nobelium when it initiated the Sunburst attacks and SolarWinds and other companies in 2020.
CISA declined to quantify how many agencies Microsoft notified of potential exposure or which agencies were required to comply with the emergency directive.
“We would assess the potential for exposure of federal authentication credentials to the Midnight Blizzard actor does pose an exigent risk to the federal enterprise,” Goldstein said.
Investigation into Microsoft-linked exposure ongoing
The U.S. government is still leaning on Microsoft to assist with remediation support and the ongoing investigation into what’s at risk, despite the web of exposure and potentially compromised position engulfing an untold number of federal agencies.
“Agencies are doing the analysis based upon information from Microsoft to assess whether, in fact, credentials may have actually been exposed or accessed. That analysis is ongoing,” Goldstein said.
When asked for comment, Microsoft repeated the response it sent to Cybersecurity Dive last week. “As we shared in our March 8 blog, as we discover secrets in our exfiltrated email, we are working with our customers to help them investigate and mitigate. This includes working with CISA on an emergency directive to provide guidance to government agencies,” a Microsoft spokesperson said.
Midnight Blizzard’s persistence and, in some cases, expanding attack against Microsoft underscores the tech giant’s need to overhaul its internal security practices.
CISA’s emergency directive was issued the same day the Cyber Safety Review Board released a damning report about a “cascade of security failures at Microsoft” that allowed a China-affiliated threat group to compromise Microsoft Exchange accounts in May 2023.
That attack by a nation-state group Microsoft identifies as Storm-0558 compromised emails of 22 organizations and more than 500 individuals, including senior U.S. officials. Microsoft has yet to determine the root cause of that intrusion, the CSRB said in the report.
“CISA and the broader U.S. government are working closely with Microsoft in alignment with the recommendations of the Cyber Safety Review board to drive further progress in Microsoft’s improvement plans for their broader security culture and enterprise,” Goldstein said.