Microsoft: Chinese hackers accessed government and individual email accounts

US State Department and the Commerce Department both affected

Microsoft says a state-backed threat group covertly accessed email accounts at around 25 organisations worldwide, including government agencies in the US and Western Europe.

The company attributed the attacks to Storm-0558, a threat actor based in China.

The group primarily focuses on government agencies in Western Europe, engaging in activities like espionage, data theft, and credential access.

"We assess this adversary is focused on espionage, such as gaining access to email systems for intelligence collection," Charlie Bell, executive vice president at Microsoft Security said in a blog post.

"This type of espionage-motivated adversary seeks to abuse credentials and gain access to data residing in sensitive systems," he added.

Tracking the spread

Microsoft began an investigation into unusual mail activity on the 16th June, following reports from customers.

Subsequent investigation revealed that Storm-0558 had obtained access to email data from multiple organisations. It was also able to access a "limited number" of consumer accounts linked to individuals likely affiliated with these organisations.

The unauthorised access began on 15th May. Storm-0558 used a Microsoft account (MSA) consumer signing key it had acquired to forge authentication tokens and gain entry into user email accounts.

Microsoft's investigation showed Storm-0558 used this method to access customer email accounts through Outlook Web Access (OWA) in Exchange Online and Outlook.com.

"The actor used an acquired MSA key to forge tokens to access OWA and Outlook.com," the company said.

Token validation issue enables enterprise hack

Separate systems are responsible for issuing and managing MSA (consumer) keys and Azure AD (enterprise) keys, ensuring that each key is valid only for its respective system.

However, the threat actors took advantage of a token validation issue, enabling them to impersonate Azure AD users.

This exploitation allowed the group to gain unauthorised access to enterprise mail accounts.

"We have no indications that Azure AD keys or any other MSA keys were used by this actor. OWA and Outlook.com are the only services where we have observed the actor using tokens forged with the acquired MSA key," Microsoft said.

The company claims to have taken immediate steps to address the situation by mitigating the acquired MSA key.

It has also blocked Storm-0558's activities, ensuring the group is no longer able to continue its unauthorised actions.

Although Microsoft did not explicitly disclose the specific organisations or governments impacted, at least one appears to be the US government.

A spokesperson from the White House National Security Council revealed that the administration had reached out to Microsoft to identify the source and vulnerability within their cloud service, according to the Washington Post.

The US State Department and the Commerce Department have confirmed that they were impacted by the incident.

The Washington Post reported that email accounts belonging to Secretary of Commerce Gina Raimondo and officials from the Department of State were compromised.

Adam Hodge, a spokesperson for the White House National Security Council, said the intrusion had had an impact on "unclassified systems."

"Officials immediately contacted Microsoft to find the source and vulnerability in their cloud service," Hodge added.

China moving away from "smash-and-grab"

A recent report by Google Cloud-owned Mandiant claimed that hackers with support from the Chinese government exploited a vulnerability within an email security service.

This exploitation led to unauthorised access of the networks of multiple public and private sector entities worldwide - approximately one-third being government agencies.

Chinese officials dismissed the report as "far-fetched and unprofessional."

US officials have previously expressed concerns regarding possible cyberattacks originating from Chinese state-supported hackers, an allegation China has consistently denied.

John Hultquist, chief analyst at Mandiant, says Chinese cyber espionage campaigns have "come a long way from the smash-and-grab tactics many of us are familiar with."

"Rather than manipulating unsuspecting victims into opening malicious files or links, these actors are innovating and designing new methods that are already challenging us.

"They are leading their peers in the deployment of zero-days and they have carved out a niche by targeting security devices specifically.

"The reality is that we are facing a more sophisticated adversary than ever, and we'll have to work much harder to keep up with them."