Microsoft reported that Chinese hackers had access to government email accounts in the United States and Western Europe. The company said that the hackers, who it identified as a group known as Storm-0558, were likely motivated by spying.
The hack, which went undetected for a month, targeted email accounts used by approximately 25 organizations including government agencies and think tanks. Microsoft said that the hackers could steal sensitive information, including emails, documents, and passwords.
The company stated that it had notified the affected organizations and taken steps to mitigate the damage. The company also emphasized working with law enforcement to investigate the hack. In its blog post, Microsoft explains:
The actor used an acquired MSA key to forge tokens to access OWA and Outlook.com. MSA (consumer) keys and Azure AD (enterprise) keys are issued and managed from separate systems and should only be valid for their respective systems.
The actor exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail. We have no indications that Azure AD keys or any other MSA keys were used by this actor.
OWA and Outlook.com are the only services where we have observed the actor using tokens forged with the acquired MSA key.
It has teamed up with the Department of Homeland Security (DHS)'s Cybersecurity and Infrastructure Security Agency (CISA) to address affected customers. Microsoft adds that such customers or organizations have been contacted directly.
Here is how Microsoft summarized its mitigation efforts to combat this attack:
Microsoft has mitigated the acquired MSA key and our telemetry indicates the actor activities have been blocked. We took the following proactive steps as our investigation proceeded:
- Microsoft blocked the usage of tokens signed with the acquired MSA key in OWA preventing further threat actor enterprise mail activity.
- Microsoft completed the replacement of the key to prevent the threat actor from using it to forge tokens.
- Microsoft blocked usage of tokens issued with the key for all impacted consumer customers.
Storm-0558 is a well-known Chinese hacking group that has been active for several years. The group has been linked to several high-profile hacks. And the hack is the latest high-profile cyberattack targeting government agencies and other sensitive organizations.
In recent years, there has been a growing concern about the threat of Chinese cyber espionage. Lately, Microsoft says state-sponsored China actor targeting critical infrastructure in the US. However, the Chinese government has denied any involvement in the hack. The attack came after the country rethought its policies to support the domestic chip industry amid US restrictions.