Cyber criminals linked to the Chinese government have exploited a software flaw to steal emails from several U.S. government employees.
The breach stemmed from a vulnerability in Microsoft’s web-based Cloud systems, which the threat actors used to compromise two dozen government agencies, including the State Department.
Microsoft hasn’t identified the government agencies targeted in the attack. However, it did say that the attackers compromised personal accounts “associated” with the agencies, and it’s likely that the accounts belong to employees at those organisations.
Experts quickly learned that the attack was part of a continued effort from Chinese hackers to spy on and steal data from political rivals.
Sen. Mark Warner, who chairs the Senate Intelligence Committee, said the group is “closely monitoring what appears to be a significant cybersecurity breach by Chinese intelligence.”
He added: “It’s clear that the [Chinese government] is steadily improving its cyber collection capabilities directed against the U.S. and our allies. Close coordination between the U.S. government and the private sector will be critical to countering this threat.”
What went wrong?
This incident relates to a software flaw in Microsoft’s Outlook Web Access in Exchange Online and Outlook.com.
In its technical analysis of the attack, Microsoft explained that the criminal hackers used an acquired Microsoft consumer signing key to forge authentication tokens. This enabled them to exploit a token validation flaw, impersonate Azure AD users and access enterprise email accounts.
According to Microsoft, the hacking group – tracked as Storm-0558 – compromised approximately 25 email accounts using this method. It added that this activity had gone undetected for a month until customers alerted the tech giant to unusual and suspicious email activity.
Microsoft hasn’t disclosed the government agencies targeted in the attack, but The Wall Street Journal and CNN both reported that the State Department was one of several federal agencies that was compromised.
Should we be concerned?
Any time Microsoft reveals that a software flaw has been exploited, there will naturally be cause for concern. The tech giant is a major government contractor, and its Exchange software is used by countless clients in the public and private sector.
A security breach could potentially have huge ramifications, particularly when you consider that this attack is reportedly state sponsored.
It’s why Microsoft invests significantly in cybersecurity research and threat containment, and why stories such as this are comparatively rare.
Although the organisation has not dismissed the severity of this breach, its comments suggest that it was a particularly unusual intrusion and not a sign of a systemic issue.
It’s an opinion shared by other tech firms, including Google. Charles Carmakal, the senior vice president and chief technology officer at Google’s software subsidiary Mandiant, said:
“This was a very advanced technique used by the threat actor against a limited number of high value targets. Each time the technique was used, it increased the chances of the threat actor getting caught.
“Kudos to Microsoft for leaning in, figuring this out, remediating, collaborating with partners and being transparent.”
Microsoft later confirmed that it had mitigated the attack and the threat actors no longer have access to the compromised accounts.
But no matter how well Microsoft handles this incident, we are almost certainly going to get more reports like this in the future. Cybersecurity experts have been urging organisations to take the threat of Chinese hackers seriously for years. Indeed, the U.S.’s top cybersecurity official, Jen Easterly, described the threat as ‘epoch defining’ in a speech earlier this year.
Meanwhile, with CISA and the FBI continuing to monitor attacks on Microsoft, they have urged organizations to report anomalous activity that they detect in Cloud-based systems to the agencies.
