A new emergency directive issued by the Cybersecurity and Infrastructure Security Agency (CISA) is requiring U.S. federal agencies to address risks stemming from a breach of multiple Microsoft corporate email accounts by the Russian APT29 hacking group.
Emergency Directive 24-02 was sent to Federal Civilian Executive Branch (FCEB) agencies on April 2. It instructs agencies to investigate potentially affected emails, reset any compromised credentials, and secure privileged Microsoft Azure accounts.
According to CISA, operatives from the Russian Foreign Intelligence Service (SVR) are now using information stolen from Microsoft’s corporate email systems to gain access to certain customer systems.
CISA Director Jen Easterly emphasized the need for immediate action by agencies to reduce risks to federal systems. She stated that malicious cyber activity from Russia has been a longstanding issue and that collaboration with government and private sector partners is essential to defend against such threats.
Federal agencies have been notified about the stolen emails, and the directive requires them to identify the full content of correspondence with compromised Microsoft accounts by April 30, 2024.
The directive outlines steps for agencies to take if authentication compromises are detected, including resetting credentials and reviewing account activity logs for potential malicious activity.
While the directive is focused on FCEB agencies, other organizations impacted by the breach are encouraged to seek guidance from their respective Microsoft account teams. All organizations are urged to implement strong security measures, such as using strong passwords and enabling multifactor authentication.
The APT29 hacking group, also known as Midnight Blizzard and NOBELIUM, was responsible for breaching Microsoft’s corporate email servers in January. They gained access through a legacy non-production test tenant account that did not have multifactor authentication enabled.
This breach allowed the hackers to access and steal data from corporate mailboxes belonging to Microsoft’s leadership team members and employees in cybersecurity and legal departments. APT29 previously carried out the SolarWinds supply chain attack in 2020, which impacted U.S. federal agencies and companies like Microsoft.
In addition to the recent breach, APT29 hackers breached a Microsoft corporate account in June 2021, providing them access to customer support tools.
