Chinese hackers used a hole in Microsoft’s cloud email service to obtain access to the email accounts of US government officials, according to the technology giant.
According to Microsoft, the hacking gang known as Storm-0558 compromised about 25 email accounts, including those of government institutions, as well as related consumer accounts tied to persons associated with these organizations. Microsoft uses the nickname “Storm” to identify hacking groups that are fresh, emergent, or “in development.”
The government agencies targeted by Storm-0558 have not been identified by Microsoft. According to Adam Hodge, a spokesperson for the White House’s National Security Council, US federal entities were affected.
“Last month, U.S. government safeguards identified an intrusion in Microsoft’s cloud security, which affected unclassified systems,” Hodge said in a statement to TechCrunch. “Officials contacted Microsoft immediately to determine the source and vulnerability in their cloud service.” We continue to hold the US government’s procurement vendors to a high security standard.
According to The Wall Street Journal, the State Department was one of several federal institutions infiltrated. According to CNN, the State Department notified Microsoft of the incident.
Storm-0558, a China-based hacking outfit described by Microsoft as a “well-resourced” adversary, obtained access to email accounts via Outlook Web Access in Exchange Online (OWA) and Outlook.com by forging authentication tokens to access user accounts. Microsoft said in its technical investigation of the incident that the hackers utilized an acquired Microsoft consumer signing key to fake tokens to access OWA and Outlook.com. The hackers then took advantage of a token validation flaw to mimic Azure AD users and obtain access to enterprise email accounts.
Storm-0885’s malicious behavior went undiscovered for approximately a month until users reported Microsoft to unusual email activity, according to Microsoft.
“We believe this adversary is intent on espionage, such as gaining access to email systems to gather intelligence.” “This type of espionage-motivated adversary seeks to exploit credentials and gain access to sensitive systems’ data,” said Charlie Bell, Microsoft’s chief cybersecurity executive.
The assault was successfully mitigated, according to Microsoft, and Storm-0558 no longer has access to the compromised accounts. However, the corporation has not stated whether any sensitive data was exfiltrated during the attackers’ month-long access.
According to a CISA advisory, the attackers gained access to unclassified email data.
A senior FBI agent, who described the month-long infiltration as a “targeted campaign,” declined to confirm the overall number of victims during a briefing attended by TechCrunch on Wednesday, but indicated the number of impacted federal entities was in the “single digits.” The official refused to identify the agencies affected.
While the overall impact of the event is unknown, a senior CISA official stated that the agency discovered that a government-backed actor — which the US government has not yet identified as China — exfiltrated a “limited amount” of Exchange Online data.
CISA and the FBI are advising any organization that notices unusual activity in Microsoft 365 to contact them.