Microsoft has confirmed that a flaw in its cloud email service has allowed Chinese hackers to gain access to the email accounts of US government employees.
The hacking group is known as Storm-0558, following the convention of using “Storm” as a nickname to track hacking groups that are emerging or in development.
While Microsoft hasn’t identified the specific government agencies that have been targeted, it is known that 25 email accounts were affected. These include those within government agencies, as well as consumer accounts that are linked to people associated with the organizations.
Microsoft Security Breaches
The Storm-0558 attack is the latest in a line of recent security breaches within Microsoft.
Earlier this month, Microsoft had to deny large scale DDoS attacks in which hackers claimed they’d stolen 30 million customer records. Following this, a member of the US Navy’s information security research team exposed a flaw within the company's incoming file restraints, which allowed attackers to share malware.
How Did The Attack Take Place?
In its investigation and technical analysis of the attack, Microsoft explained that Storm-0558 forged authentication tokens to gain access to email accounts using Outlook Web Access in Exchange Online and outlook.com. From there, they exploited a token validation issue to impersonate Azure AD users and get access to enterprise email accounts.
“Last month, US government safeguards identified an intrusion in Microsoft’s cloud security, which affected unclassified systems. Officials immediately contacted Microsoft to find the source and vulnerability in their cloud service. We continue to hold the procurement providers of the US Government to a high security threshold.” – Adam Hodge, spokesperson for the White House’s National Security Council
Microsoft has called Storm-0558 a “well-resourced” adversary.
It's Not Yet Known If Any Sensitive Data Was Exfiltrated
It’s reported that the malicious activity had gone undetected for around a month, until flagged by customers to Microsoft, citing unexpected mail activity as the basis for their concerns.
“We assess this adversary is focused on espionage, such as gaining access to email systems for intelligence collection. This type of espionage-motivated adversary seeks to abuse credentials and gain access to data residing in sensitive systems” – Charlie Bell, Microsoft’s top cybersecurity executive.
The attack has since been successfully mitigated and Storm-0558 no longer has access to the email accounts. However, Microsoft has not yet confirmed whether any sensitive data was exfiltrated.