Microsoft said late Tuesday that it took action in recent weeks to mitigate China-based cyberattacks that exposed email account information of U.S. government agencies and other organizations, along with customer accounts of people tied to those agencies and organizations.
In a separate advisory, the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI confirmed that at least one Federal civilian agency was a target of the attacks, but did not identify the agency. Several news reports today cite unnamed sources as saying that the State Department may have been targeted.
In a briefing with reporters today, a senior CISA official emphasized that the attack appeared to have been narrowly scoped, quickly rooted out, and that classified information was not exposed.
The official discouraged comparisons with the 2020 SolarWinds cyber exploit – based on the apparently much smaller size of the Microsoft attack, and the fact that it was not a software supply chain exploit.
In a July 11 blog post Microsoft detailed its steps to investigate and mitigate that attacks, but provided no further information on how many government agencies were impacted, the severity of the email exposures, or a total number of accounts impacted.
Microsoft identified the attacker as a China-based threat actor that it follows under the name Storm-0558. The attacker targets customer emails, primarily “agencies in Western Europe,” and mostly focuses on espionage, data theft, and credential access, the company said.
The company said its “investigations determined that Storm-0558 gained access to customer email accounts using Outlook Web Access in Exchange Online (OWA) and Outlook.com by forging authentication tokens to access user email.”
Microsoft said that beginning on May 15, “Storm-0558 gained access to email accounts affecting approximately 25 organizations including government agencies as well as related consumer accounts of individuals likely associated with these organizations.” The company began investigating after receiving information from a customer on June 16.
The company emphasized that since then, “Microsoft has completed mitigation of this attack for all customers.”
“Our telemetry indicates that we have successfully blocked Storm-0558 from accessing customer email using forged authentication tokens,” the company said. “As with any observed nation-state actor activity, Microsoft has contacted all targeted or compromised organizations directly via their tenant admins and provided them with important information to help them investigate and respond,” it said.
CISA/FBI Advisory
In their advisory, CISA and the FBI said that “in June 2023, a Federal Civilian Executive Branch (FCEB) agency identified suspicious activity in their Microsoft 365 (M365) cloud environment. The agency reported the activity to Microsoft and the Cybersecurity and Infrastructure Security Agency (CISA), and Microsoft determined that advanced persistent threat (APT) actors accessed and exfiltrated unclassified Exchange Online Outlook data.”
The agencies said their advisory was aimed at providing guidance to “critical infrastructure organizations on enhancing monitoring of Microsoft Exchange Online environments.”
“Organizations can enhance their cyber posture and position themselves to detect similar malicious activity by implementing logging recommendations in this advisory,” they said. “Organizations that identify suspicious, anomalous activity should contact Microsoft for proceeding with mitigation actions due to the cloud-based infrastructure affected, as well as report to CISA and the FBI,” the agencies said.
During a press briefing today, a senior CISA official would not specify how many U.S.-based organizations were targeted, but said that number was likely in the “single digits.”
“A small number of mailboxes were impacted, which reflects the surgical nature of the attack,” the official said. “No classified systems or data” were impacted by the hacking campaign, the official said, saying the exploit was limited to “unclassified Outlook email boxes.”
In a separate statement, White House National Security spokesman Adam Hodge said the intrusion in Microsoft’s cloud security impacted “unclassified systems.”
“The Senate Intelligence Committee is closely monitoring what appears to be a significant cybersecurity breach by Chinese intelligence,” said Sen. Mark Warner, D-Va., chairman of the Senate intelligence Committee, in a statement today.
He said it’s clear that the Chinese government “is steadily improving its cyber collection capabilities directed against the U.S. and our allies. Close coordination between the U.S. government and the private sector will be critical to countering this threat.”
Further Attack Details
In its blog posting, Microsoft said that the China-based threat actor “used an acquired MSA [Microsoft account] key to forge tokens to access OWA and Outlook.com. MSA (consumer) keys and Azure AD (enterprise) keys are issued and managed from separate systems and should only be valid for their respective systems.”
“The actor exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail,” the company said. “We have no indications that Azure AD keys or any other MSA keys were used by this actor. OWA and Outlook.com are the only services where we have observed the actor using tokens forged with the acquired MSA key.”
The company said its steps during the investigation included:
- Microsoft blocked the usage of tokens signed with the acquired MSA key in OWA preventing further threat actor enterprise mail activity.
- Microsoft completed the replacement of the key to prevent the threat actor from using it to forge tokens.
- Microsoft blocked usage of tokens issued with the key for all impacted consumer customers.
“We have continuously improved the security of the MSA key management systems since the acquired MSA key was issued, as part of defense in depth, to ensure the safety and security of consumer keys,” the company said.
