Chinese hackers, identified as the Storm-0558 group, have exploited a vulnerability in Microsoft’s cloud email service, resulting in unauthorized access to the email accounts of US government employees, as confirmed by the technology giant.
According to Microsoft, Storm-0558 targeted around 25 email accounts, including those associated with government agencies and related consumer accounts linked to individuals connected to these organizations. The hacking group, referred to as “Storm” by Microsoft, indicates that it is a new or emerging adversary.
While Microsoft has not disclosed the specific government agencies affected, Adam Hodge, a spokesperson for the White House’s National Security Council, acknowledged that US government agencies were indeed impacted by the intrusion. Hodge stated that last month, US government safeguards detected the breach in Microsoft’s cloud security, prompting immediate action to identify the source and vulnerability within the cloud service.
Microsoft’s investigation revealed that Storm-0558, a well-resourced hacking group based in China, gained unauthorized access to email accounts by exploiting a flaw in Outlook Web Access in Exchange Online (OWA) and Outlook.com. The hackers forged authentication tokens using an acquired Microsoft consumer signing key, granting them access to OWA and Outlook.com. They further exploited a token validation issue to impersonate Azure AD users and gain entry into enterprise email accounts.
The malicious activity by Storm-0558 went undetected for approximately a month until customers reported anomalous mail activity, prompting Microsoft’s attention. The company successfully mitigated the attack, ensuring that Storm-0558 no longer has access to the compromised accounts. However, Microsoft has not confirmed whether any sensitive data was exfiltrated during the attackers’ month-long access.
Charlie Bell, Microsoft’s top cybersecurity executive, stated that they assess Storm-0558 to be focused on espionage, aiming to gain access to email systems for intelligence collection. This type of adversary seeks to abuse credentials and extract data from sensitive systems.
The incident highlights the ongoing threat posed by cyberattacks and emphasizes the need for robust security measures to protect sensitive government data.
