Partner content
Federal agencies caught sharing credentials with Microsoft over email
The Russia-linked hackers behind the attack on Microsoft’s internal systems starting in late November stole credentials for federal agencies that could be used to compromise government departments, cyber authorities said Thursday.
The Cybersecurity and Infrastructure Security Agency issued an emergency directive on April 2, which it made public Thursday, requiring federal agencies to reset credentials and hunt for potential breaches or malicious activity. The deadline to report these actions to CISA was April 8.
“Agencies have moved with extraordinary urgency to remediate any instances of potentially exposed credentials,” Eric Goldstein, executive assistant director for cybersecurity at CISA, said Thursday during a media briefing. “At this time, we are not aware of any agency production environments that have experienced a compromise as a result of credential exposure.”
Microsoft and several federal agencies exchanged credentials via email, which created the unacceptable risk and exposure to a malicious group, according to CISA. Goldstein declined to say why the credentials were shared in these cases, but noted logins are sometimes shared as part of a troubleshooting ticket or as part of a code snippet to remediate an issue.
“That is certainly not a best practice and is one that does associate with a significant degree of risk,” Goldstein said.
The Russia state-sponsored threat group which Microsoft identifies as Midnight Blizzard, also known as APT29 or Cozy Bear, was still using secrets it stole from Microsoft’s systems in late November to gain or attempt to gain further access to the company’s infrastructure last month, the company said in a filing with the Securities and Exchange Commission.
The nation-state group was known as Nobelium when it initiated the Sunburst attacks and SolarWinds and other companies in 2020.
CISA declined to quantify how many agencies Microsoft notified of potential exposure or which agencies were required to comply with the emergency directive.
“We would assess the potential for exposure of federal authentication credentials to the Midnight Blizzard actor does pose an exigent risk to the federal enterprise,” Goldstein said.
To read the complete article, visit Cybersecurity Dive.
