Microsoft has hardened security following a Chinese hack of U.S. government agency email accounts, but some details remain a mystery.
Even as the threat has passed, Microsoft officials are still analyzing how a Chinese threat group was able to access U.S. government accounts using a stolen inactive Microsoft account (MSA) consumer signing key.
Chinese hacker group Storm-0558 breached an undisclosed number of email accounts belonging to 25 organizations, including U.S. government agencies, over the past month using authentication tokens forged with the stolen MSA key.
In an update on the issue published late last week, Microsoft Threat Intelligence said an analysis of the Exchange Online activity revealed that “the actor was forging Azure AD tokens using an acquired Microsoft account (MSA) consumer signing key. This was made possible by a validation error in Microsoft code. The use of an incorrect key to sign the requests allowed our investigation teams to see all actor access requests which followed this pattern across both our enterprise and consumer systems. … Microsoft’s investigations have not detected any other use of this pattern by other actors and Microsoft has taken steps to block related abuse.”
Microsoft said it’s unsure how the threat actor was able to steal the key. “The method by which the actor acquired the key is a matter of ongoing investigation,” the Threat Intelligence team wrote. “Though the key was intended only for MSA accounts, a validation issue allowed this key to be trusted for signing Azure AD tokens. This issue has been corrected.”
Microsoft said it has taken a number of other steps, and no other action is required by customers. “We have substantially hardened key issuance systems since the acquired MSA key was initially issued,” the company said. “This includes increased isolation of the systems, refined monitoring of system activity, and moving to the hardened key store used for our enterprise systems. We have revoked all previously active keys and issued new keys using these updated systems.”
The attack was discovered by a U.S. government agency using premium Microsoft 365 logging data. As a result, Microsoft said it will “include access to wider cloud security logs for our worldwide customers at no additional cost.”
MSA Key Used to Breach Azure AD
Leveraging the validation error, the hackers were able to use the stolen consumer-level key to access enterprise systems, said a Microsoft Security Response Center (MSRC) blog post. “MSA (consumer) keys and Azure AD (enterprise) keys are issued and managed from separate systems and should only be valid for their respective systems,” MSRC said. “The actor exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail.”
The attack, Microsoft says, has now been mitigated for all users. “We added substantial automated detections for known indicators of compromise associated with this attack to harden defenses and customer environments, and we have found no evidence of further access,” Microsoft Security EVP Charlie Bell wrote in a blog post.
The Washington Post named the U.S. Departments of Commerce and State as victims and reported that one of the people whose email accounts were breached was U.S. Secretary of Commerce Gina Raimondo. Still, a senior FBI official told the Post that no classified information was accessed.
Also read: How to Improve Email Security for Enterprises & Businesses
Sophisticated Authentication Hack
Microsoft noted that Storm-0558’s core working hours are impressively businesslike, from 8 a.m. to 5 p.m. China Standard Time, Monday through Friday. “In past activity observed by Microsoft, Storm-0558 has primarily targeted U.S. and European diplomatic, economic, and legislative governing bodies, and individuals connected to Taiwan and Uyghur geopolitical interests,” the company stated.
“Historically, this threat actor has displayed an interest in targeting media companies, think tanks, and telecommunications equipment and service providers,” Microsoft added. “The objective of most Storm-0558 campaigns is to obtain unauthorized access to email accounts belonging to employees of targeted organizations. Storm-0558 pursues this objective through credential harvesting, phishing campaigns, and OAuth token attacks.”
Microsoft’s investigation determined that, starting on May 15, 2023, Storm-0558 had accessed email data from a range of organizations, as well as consumer accounts belonging to people linked to those organizations. Microsoft’s investigation began after a customer report on June 16.
Also read: How DMARC Can Protect Against Phishing & Ransomware
The Importance of Email Security
KnowBe4 security awareness advocate Erich Kron told eSecurity Planet that the attack should serve as a reminder of the dangers of breached email accounts. “Not only do many of us use our email accounts to reset passwords, potentially to platforms these bad actors would like to access, but there are also conversations that have taken place that can be used to attempt to steal information or take actions,” he said. “It’s not unusual to see a bad actor restart an email thread, or take an active role in email discussions through the compromised account, using the trust built through previous interactions to victimize people.”
“Email is also the source of a lot of potentially sensitive information that is shared within an organization,” Kron added. “People tend to trust internal organizationally managed email systems to have conversations about sensitive topics, something they would not do using a commercial email platform such as Gmail or Hotmail.”
Multi-factor authentication (MFA) is always a good idea to help protect against account takeover, but it’s not foolproof. “In this case, because they are using forged tokens, protections may be limited by MFA,” Kron said. “It is very important that users report potential email oddities, such as receiving a notification of an email received but having it missing from the inbox, as that may be a sign of a bad actor communicating with someone else, then trying to cover their tracks.”
Read next: