Microsoft has confirmed that a group of Chinese hackers exploited a vulnerability in its cloud email service, resulting in unauthorized access to the email accounts of US government employees. The hacking group, identified as Storm-0558, targeted approximately 25 email accounts, including those of government agencies and related consumer accounts linked to individuals associated with these organizations. Microsoft uses the nickname “Storm” to track emerging or developing hacking groups.
US Government Agencies Affected, Investigation Underway
Adam Hodge, a spokesperson for the White House’s National Security Council, confirmed that the breach impacted US government agencies, although Microsoft has not disclosed the specific government agencies affected. The State Department reportedly compromised and alerted Microsoft to the breach.
Method of Attack and Detection
Microsoft’s investigation revealed that Storm-0558, described as a well-resourced adversary based in China, gained access to email accounts by forging authentication tokens to exploit Outlook Web Access in Exchange Online (OWA) and Outlook.com. The hackers acquired a Microsoft consumer signing key to forge tokens, enabling access to OWA and Outlook.com. They then exploited a token validation issue to impersonate Azure AD users and gain entry to enterprise email accounts. The malicious activity went undetected for approximately a month until customers noticed abnormal mail activity and alerted Microsoft.
Focus on Espionage and Mitigation
Charlie Bell, Microsoft’s top cybersecurity executive, states that Storm-0558 appears to be an espionage-motivated adversary focused on intelligence collection. Microsoft successfully mitigated the attack, revoking Storm-0558’s access to the compromised accounts. However, it is unclear whether any sensitive data was exfiltrated during the month-long period of unauthorized access.
US Agencies Take Action and Encourage Reporting
The US Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory urging organizations to report any anomalous activity related to Microsoft 365. During a briefing, a senior FBI official described the intrusion as a targeted campaign affecting government agencies in single digits. A government-backed actor exfiltrated a limited amount of Exchange Online data, although the US government has not attributed the attack to China. CISA and the FBI emphasize the importance of promptly reporting any suspicious activity to their agencies.
Also Read The latest News:
Protest by Urban Company Service partners continues
Fintech startup OneStack raised $2 million in funds led by growX ventures and others