Exploiting Microsoft cloud vulnerability, Chinese hackers breach US government email accounts

Chinese Hackers Exploit Microsoft Cloud Flaw to Breach US Government Email Accounts

Exploiting Microsoft cloud vulnerability, Chinese hackers breach US government email accounts
Exploiting Microsoft cloud vulnerability

Chinese hackers have successfully breached the email accounts of U.S. government employees by taking advantage of a vulnerability in Microsoft's cloud email service, as confirmed by the technology giant.

The hacking group, known as Storm-0558, targeted approximately 25 email accounts associated with government agencies and related consumer accounts linked to individuals connected to these organizations. Microsoft uses the nickname "Storm" to track emerging hacking groups.

While Microsoft has not disclosed the specific government agencies affected by Storm-0558, Adam Hodge, spokesperson for the White House's National Security Council, confirmed that U.S. government agencies were impacted.

Last month, U.S. government security measures detected an intrusion in Microsoft's cloud security, which affected non-classified systems. Upon discovery, officials promptly contacted Microsoft to investigate the source and vulnerability within their cloud service. The U.S. government maintains a high-security threshold for its procurement providers.

According to reports, the State Department was among the federal agencies compromised, with State alerting Microsoft to the breach.

Microsoft's investigation revealed that Storm-0558, described as a well-resourced hacking group based in China, gained unauthorized access to email accounts by exploiting Outlook Web Access in Exchange Online (OWA) and Outlook.com. The hackers forged authentication tokens and utilized an acquired Microsoft consumer signing key to access OWA and Outlook.com. They then exploited a token validation flaw to impersonate Azure AD users and gain entry into enterprise email accounts.

The malicious activity of Storm-0558 went undetected for about a month until customers reported abnormal mail behavior to Microsoft.

Microsoft stated that it successfully mitigated the attack, cutting off Storm-0558's access to the compromised accounts. However, the company has not confirmed whether any sensitive data was extracted during the month-long breach.

The U.S. cybersecurity agency, CISA, indicated that the attackers accessed unclassified email data. While the total number of victims remains undisclosed, an FBI official described the intrusion as a targeted campaign impacting a single-digit number of government agencies, but declined to name them.

A senior CISA official revealed that a limited amount of Exchange Online data was exfiltrated by a government-backed actor, although the U.S. government has not yet attributed the attack to China.

Next Article