The Cybersecurity and Infrastructure Security Agency (CISA) has issued a new emergency directive aimed at U.S. federal agencies in response to the breach of multiple Microsoft corporate email accounts by the Russian APT29 hacking group.

The directive, known as Emergency Directive 24-02, was issued on April 2 to Federal Civilian Executive Branch (FCEB) agencies. It mandates these agencies to conduct investigations into potentially affected emails, reset any compromised credentials, and implement measures to secure privileged Microsoft Azure accounts.

According to CISA, operatives from the Russian Foreign Intelligence Service (SVR) are now utilizing information pilfered from Microsoft's corporate email systems to gain unauthorized access to certain customer systems. CISA Director Jen Easterly emphasized the urgent need for action to mitigate risks to federal systems, highlighting the longstanding pattern of malicious cyber activity associated with Russia.

Microsoft, in conjunction with the U.S. cybersecurity agency, has notified all federal agencies whose email correspondence with Microsoft was identified as exfiltrated by the Russian hackers.

This emergency directive marks the first official confirmation by the U.S. government that federal agency emails were compromised in the January Microsoft Exchange breaches. Affected agencies are instructed to assess the entirety of their correspondence with compromised Microsoft accounts and conduct a cybersecurity impact analysis by April 30, 2024.

Agencies detecting signs of authentication compromises are required to take immediate remedial action, including resetting compromised credentials and reviewing account activity logs for potential malicious activity.

While the requirements of Emergency Directive 24-02 specifically target FCEB agencies, the implications of the exfiltration of Microsoft corporate accounts extend to other organizations. These organizations are encouraged to seek guidance from their respective Microsoft account teams and bolster their security measures, including the use of strong passwords, multifactor authentication, and secure communication practices.

The APT29 hacking group, also known as Midnight Blizzard and NOBELIUM, gained access to Microsoft's corporate email servers in January through a password spray attack targeting a legacy non-production test tenant account lacking multifactor authentication. Subsequently, the attackers exploited an OAuth application with elevated access to steal data from corporate mailboxes belonging to Microsoft leadership and personnel in cybersecurity and legal departments.

APT29 previously made headlines for its involvement in the 2020 SolarWinds supply chain attack, which compromised several U.S. federal agencies and numerous companies, including Microsoft. In June 2021, the group breached another Microsoft corporate account, granting access to customer support tools.