The story so far: In July, Microsoft said that a China-based hacking group breached U.S. government-linked email accounts. The company said the group identified as Storm-0558, gained access to email accounts of 25 organisations, including Western European government agencies, email accounts from top American officials such as Commerce Secretary Gina Raimondo, U.S. Ambassador to China Nicholas Burns, and Assistant Secretary of State for East Asia Daniel Kritenbrink. The attacks stemmed from the compromise of a Microsoft engineer’s corporate account. The company further explained that hackers were able to extract a cryptographic key from the engineer’s account to access into email accounts. The flaw has been fixed now.
When did the attacks start?
The attack on email accounts of American government officials was first noticed when customers reported abnormal activity on June 16. Microsoft then began an investigation which revealed that from May 15, Storm-0558 gained access to email accounts affecting approximately 25 organisations in the public cloud including government agencies as well as related customer accounts of individuals associated with them.
What is Storm-0558?
Microsoft Threat Intelligence “with moderate confidence” assessed that Storm-0558 is a China-based threat actor with activities and methods consistent with espionage objectives. The group is thought to operate as its own distinct group and its core working hours are consistent with working hours in China, Microsoft said in a blog post.
In the past, the group has been seen to have primarily targeted U.S. and European diplomatic, economic, and legislative governing bodies, and individuals connected to Taiwan and Uyghur geopolitical interests. The group has been targeting Microsoft accounts since August 2021 and had reportedly obtained credentials for initial access through phishing campaigns and exploited vulnerabilities in public-facing applications to gain access to victims’ networks.
How did the threat actors breach Microsoft’s security?
The China-based threat actor was able to compromise Microsoft’s cloud security systems by using an acquired MSA key to forge tokens to access Outlook Web Access…