Hack on U.S. agency, plus other email accounts, targeted by China-linked APT group, as warned by Microsoft
In mid-2023, a China-linked threat group known as Storm-0558 carried out a sophisticated espionage-driven cyberattack, targeting cloud email accounts primarily via Microsoft’s Outlook and Exchange Online services. The attack, which lasted about a month, saw the hackers gain access to the email accounts of at least 25 organizations, including U.S. and European government agencies, to steal sensitive diplomatic and policy communications.
The group's methods were particularly sophisticated. They acquired an obscure Azure AD signing key through a complex chain of technical exploits. This key was then used to forge authentication tokens, allowing undetected access to emails. The hackers also generated valid OAuth tokens to impersonate legitimate users and bypass authentication without triggering normal security detection.
Exploiting two security flaws in Microsoft's token verification process, the attackers gained access to Outlook Web Access (OWA) and Outlook.com email accounts. Potentially, they could enable token forging against multiple Azure AD-authenticated applications beyond email, such as SharePoint, Teams, and OneDrive. However, email was the primary disclosed target.
The targets of the attack were primarily government agencies in the United States and Europe, high-value diplomatic and policy actors within these organizations, and around 25 organizations confirmed breached. Approximately 60,000 State Department emails were accessed during related Exchange server intrusions earlier in 2023, attributed to Storm-0558.
The breach exposed the evolution of Chinese APTs in abusing cloud services through novel token forgery techniques rather than relying solely on traditional software vulnerabilities. Following the disclosure of the attack, calls for reforms in cloud identity security and stricter token issuance controls have been made, as Microsoft's security failures enabled this "cascading series of technical failures."
The Department of State took immediate steps to secure its systems and continues to closely monitor and respond to any further activity. Any organization detecting unusual activity in their cloud or on-premises environment is urged to contact the Cybersecurity and Infrastructure Security Agency (CISA) or the FBI.
Microsoft investigated the incident and discovered an advanced persistent threat actor gained access to and stole unclassified Exchange Online Outlook data from a small number of accounts. The hacking group typically targets Western European governments for espionage, data theft, and credential access.
Federal officials are still investigating the root cause of the attacks, but they have not attributed the attacks to a particular country. However, they have confirmed an APT actor was involved. The total number of U.S. organizations impacted by the attack is in the single digits, according to a senior CISA official.
In light of this incident, it is clear that enhanced Microsoft cloud identity protections and vigilant monitoring for anomalous token use and access patterns are necessary. This incident serves as a reminder of the ever-evolving threat landscape and the importance of cybersecurity vigilance.
- The cyberspace incident, involving the China-linked threat group Storm-0558, has highlighted the necessity for enhanced cybersecurity measures, particularly in light of the group's novel token forgery techniques that exploited Microsoft's cloud services.
- Privacy concerns arise as the breach, targeting government agencies and diplomatic communications, underscores the vulnerability of sensitive information in the digital age, emphasizing the crucial role of cybersecurity in safeguarding personal data and general-news.
- In the aftermath of this cyberattack, discussions regarding cloud identity security have intensified, with calls for reforms and stricter controls to prevent further exploitation by malicious actors, as the intersection of technology, politics, and security becomes increasingly complicated.
