Chinese hackers breach US government emails using a Microsoft cloud bug

Jul 13, 2023

Microsoft, Security

According to Microsoft, hackers from China have accessed the email accounts of about 25 organizations, including government organizations.

The attacks have been linked to a threat group known as Storm-0558, which is thought to be a cyber-espionage gang that specializes in hacking email networks to obtain sensitive information. The software behemoth has not specified the locations of the government organizations.

On June 16, 2023, Microsoft began looking into these attacks as a result of consumer complaints about odd Office 365 mail behavior. The business found that beginning on May 15, 2023, Storm-0558 threat actors gained access to customer accounts that were probably related to approximately 25 entities, including the U.S. State and Commerce Departments.

Microsoft did not, however, specify which businesses, institutions of government, or nations were impacted by these email security incidents. The U.S. government was referred to as "the world's biggest hacking empire and a global cyber thief" by the Chinese embassy in London, which also labeled the claim as "disinformation." Regardless of the facts or context, China constantly denies involvement in hacking operations.

A breach in Microsoft's cloud security "affected unclassified systems," according to Adam Hodge, a spokesman for the White House National Security Council, without providing any further details.

"Officials immediately contacted Microsoft to find the source and vulnerability in their cloud service," Hodge continued.

Hackers stole 25 emails

About 25 email accounts, including those of governmental agencies and linked consumer accounts belonging to people affiliated to these institutions, were hijacked by the cyber group Storm-0558, according to Microsoft. Microsoft uses the term "Storm" to identify and monitor hacker networks that are brand-new, growing, or "in development." Microsoft has not revealed the names of the government agencies targeted by Storm-0558.

According to Microsoft's study, the hacking group Storm-0558, which the company describes as a "well-resourced" adversary, used Outlook Web Access in Exchange Online (OWA) and Outlook.com to access user accounts by forging authentication tokens. According to Microsoft's technical examination of the assault, the hackers forged tokens to access OWA and Outlook.com using a Microsoft consumer signing key they had obtained. After that, the hackers used a token validation flaw to pretend to be Azure AD users and access corporate email accounts.

Storm-0885's harmful behavior went undiscovered for approximately a month before users warned the company about unusual mail activity, says Microsoft.