Chinese hackers infiltrated Microsoft and stole a consumer signing key, enabling them to target multiple email accounts of businesses and government organizations in the West. Microsoft is actively investigating the incident and the method used by the hackers to acquire the key. Here is an in-depth analysis of the incident released by Microsoft. The breach resulted in unauthorized access to and extraction of emails from the affected users. Microsoft has since addressed the issue, requiring no action from the users. The responsible group, Storm-0558, is a Chinese cyber-espionage entity specializing in data theft.
Why does it matter?
A Chinese state-sponsored threat actor likely conducted the attack, targeting U.S. government agencies such as the State Department and the Department of Commerce. If the Chinese obtained sensitive information, it would pose significant national security implications. The stolen data could enable devastating attacks like identity theft, wire fraud, and ransomware.
This incident occurs amidst worsening U.S.-China relations, particularly concerning 5G infrastructure and Taiwan. The breach gives China an edge in its global rivalry with the West.
What have others said about it?
Microsoft identified the campaign after receiving a tip from a customer, who turned out to be the U.S. State Department. The attackers utilized forged authentication tokens and a stolen Microsoft account consumer signing key to gain access to customer email accounts through Outlook Web Access in Exchange Online (OWA) and Outlook.com. Microsoft revoked all active MSA signing keys and addressed the API flaw to mitigate the attack. However, the threat actors adapted to new techniques after the key revocation.
Microsoft assured potentially affected customers that they did not need to take any action as the company implemented the necessary updates. Microsoft directly contacted targeted firms to provide them with vital mitigation and response information. The company confirmed that if organizations were not contacted, they were not impacted by the attack.
The attack, described as “advanced and strategically-executed,” involved nation-state attackers with the resources and skills to infiltrate government email accounts without detection. The incident highlights the need for a layered security approach, including measures like multi-factor authentication (MFA), application security programs, and behaviour-based anomaly detection, to combat cybercriminals who exploit unknown vulnerabilities and target systems and endpoints.
What can we learn from this incident?
Advanced email compromise attacks, like the Storm-0558 incident that targeted the U.S. government, offer valuable lessons for all organizations.
To mitigate such attacks, implement a layered security approach. Start with foundational measures like multi-factor authentication for secure email account access. Enhance defences through robust vulnerability and application security programs.
Detection plays a crucial role. Leverage behaviour-based anomaly detection powered by AI, focusing on the account holder’s identity and behaviour. Rapid detection is essential, particularly for high-value intelligence organizations.
As advanced email attacks increase, organizations must strengthen their defences. By combining layered security and effective detection, teams can better defend against evolving threats.