A recently uncovered major cybersecurity breach shows Chinese hackers took advantage of a vulnerability in Microsoft’s cloud email service to gain unauthorized access to the email accounts of U.S. government employees. The breach, which went undetected for over a month, has raised concerns about the security of sensitive government information and prompted investigations into the extent of the attack.
Storm-0558: A Well-Resourced Hacking Group
The hacking group, identified as Storm-0558 by Microsoft, successfully compromised approximately 25 email accounts, including those associated with government agencies and individuals linked to these organizations. Microsoft uses the codename “Storm” to track emerging and developing hacking groups. While they have not disclosed the specific government agencies targeted, a spokesperson for the White House’s National Security Council confirmed that U.S. government agencies were among those affected.
Government Agencies Sound the Alarm
The breach was first identified by U.S. government safeguards, which detected an intrusion in Microsoft’s cloud security affecting unclassified systems. The government immediately contacted Microsoft to investigate the source and vulnerability in their cloud service. The incident has underscored the importance of robust security measures for government procurement providers.
State Department Among the Affected
According to reports, the State Department was one of the federal agencies compromised in the attack. The State Department promptly alerted Microsoft to the breach, highlighting the need for swift action to mitigate the threat.
Microsoft’s Investigation Reveals the Method of Attack
Microsoft conducted an extensive investigation into the breach and discovered that Storm-0558, a China-based hacking group described as “well-resourced,” gained access to email accounts by exploiting vulnerabilities in Outlook Web Access in Exchange Online (OWA) and Outlook.com. The hackers forged authentication tokens to impersonate Azure AD users, exploiting a token validation issue to gain entry into enterprise email accounts.
The month-long intrusion by Storm-0558 went unnoticed until customers reported anomalous email activity to Microsoft. The company assesses that this adversary primarily focuses on espionage, aiming to gain access to email systems for intelligence collection purposes. By abusing credentials, the hackers sought to obtain sensitive data residing in these systems.
Successful Mitigation, but Data Exfiltration Unclear
Microsoft has confirmed that it successfully mitigated the attack, revoking Storm-0558’s access to the compromised accounts. However, it remains uncertain whether any sensitive data was exfiltrated during the month-long breach. The U.S. cybersecurity agency, CISA, stated that the attackers accessed unclassified email data.
Ongoing Investigations and Government Alerts
Government agencies, including the FBI and CISA, are actively investigating the incident. While the exact number of victims has not been disclosed, the FBI confirmed that the number of impacted government agencies is in the single digits. CISA officials have indicated that a government-backed actor exfiltrated a limited amount of Exchange Online data without attributing it to China at this stage. Organizations using Microsoft 365 are urged to report any anomalous activity to the relevant agencies.
The breach has highlighted the persistent challenges organizations face in securing their digital infrastructure against sophisticated adversaries. As investigations continue, efforts to enhance cybersecurity and safeguard sensitive information are paramount to protect against future attacks.