Microsoft offers an explanation for the hack of its cloud

Martin Brinkmann
Sep 7, 2023
Updated • Sep 7, 2023
Microsoft, Security

Bugs and coincidences seem to have allowed Chinese-based hacking group Storm-0558 to steal a private MSA key from Microsoft and gain access to the accounts of organizations, including American government agencies.

The full extent of the hack is still unclear, as the MSA key allowed the hacker group access to virtually any cloud account at Microsoft.

Microsoft published the results of its investigation into the matter on its MSRC blog. The analysis reads like a badly written screenplay, as it suggests that a chain of events allowed the hacking group to obtain the key and use it to access online accounts.

Here is what happened according to Microsoft. A consumer signing system crashed in April 2021, which resulted in the creation of a crash dump. These crash dumps should not include sensitive information, including signature keys, but in this particular case, caused by a race condition, the signing key was present in the crash dump.

Security systems did not detect the presence of the key in the dump. All of this happened in a "highly isolated and restricted production environment", according to Microsoft. Employee controls include background checks, dedicated accounts, secure access workstations, and hardware token device-based multi-factor authentication. The environment itself does not allow the use of email, conferencing, web research and other collaboration tools.

If the crash dump would have stayed in the isolated environment, hackers would not have been able to obtain it. Since the crash dump was not flagged, as scans did not detect the presence of the signing key, it was moved from the isolated environment to the debugging environment. The latter is connected to the Internet and part of Microsoft's corporate network.

Some time after April 2021 and the moving of the crash dump to the debugging environment, hacking group Storm-0558 managed to compromise the corporate account of a Microsoft engineer. This account had access to the debugging environment that contained the crash dump with the signing key.

Microsoft notes that it can't use logs to verify its hypothesis due to "log retention policies". Microsoft believes that the hacking group managed to download this specific dump and that it discovered the presence of the signing key in the dump.

The last bug in the chain allowed the hackers to use the consumer key to access Enterprise email. Microsoft states in the explanation that several libraries used to validate signatures were not updated, which led to the mail system accepting a request for Enterprise email using a consumer key token.

Microsoft claims that it has corrected the issues that led to the chain of events. In particular, it fixed the race condition, the detection of keys material in crash dumps, improved credential scanning in debugging environments, and released "enhanced libraries".

The chain of events that led to the stealing of the signing key is the most likely explanation, according to Microsoft. Günter Born points out that the sheer number of coincidences and bugs is puzzling. How did the Chinese hackers find the signing key in the dumps, when even Microsoft's own systems could not find it?

It is almost certain that this is not the last time we have heard from the hack.

Now You: what is your theory?

Microsoft offers an explanation for the hack of its cloud
Article Name
Microsoft offers an explanation for the hack of its cloud
Bugs and coincidences seem to have allowed Chinese-based hacking group Storm-0558 to steal a private MSA key from Microsoft.
Ghacks Technology News

Tutorials & Tips

Previous Post: «
Next Post: «


  1. Some Dude said on March 19, 2023 at 11:42 am

    Are these articles AI generated?

    Now the duplicates are more obvious.

    1. boris said on March 19, 2023 at 11:48 pm

      This is below AI generated crap. It is copy of Microsoft Help website article without any relevant supporting text. Anyway you can find this information on many pages.

  2. Paul(us) said on March 20, 2023 at 1:32 am

    Yes, but why post the exact same article under a different title twice on the same day (19 march 2023), by two different writers?
    1.) Excel Keyboard Shortcuts by Trevor Monteiro.
    2.) 70+ Excel Keyboard Shortcuts for Windows by Priyanka Monteiro

    Why oh why?

    1. Clairvaux said on September 6, 2023 at 11:30 am

      Yeah. Tell me more about “Priyanka Monteiro”. I’m dying to know. Indian-Portuguese bot ?

  3. John G. said on August 18, 2023 at 4:36 pm

    Probably they will announce that the taskbar will be placed at top, right or left, at your will.

    Special event by they is a special crap for us.

  4. yanta said on August 18, 2023 at 11:59 pm

    If it’s Microsoft, don’t buy it.
    Better brands at better prices elsewhere.

  5. John G. said on August 20, 2023 at 4:22 am

    All new articles have zero count comments. :S

  6. Anonymous said on September 5, 2023 at 7:48 am

    WTF? So, If I add one photo to 5 albums, will it count 5x on my storage?
    It does not make any sense… on google photos, we can add photo to multiple albums, and it does not generate any additional space usage

    I have O365 until end of this year, mostly for onedrive and probably will jump into google one

  7. St Albans Digital Printing Inc said on September 5, 2023 at 11:53 am

    Photo storage must be kept free because customers chose gadgets just for photos and photos only.

  8. Anonymous said on September 5, 2023 at 12:47 pm

    What a nonsense. Does it mean that albums are de facto folders with copies of our pictures?

    1. GG said on September 6, 2023 at 8:24 am

      Sounds exactly like the poor coding Microsoft is known for in non-critical areas i.e. non Windows Core/Office Core.

      I imagine a manager gave an employee the task to create the album feature with hardly any time so they just copied the folder feature with some cosmetic changes.

      And now that they discovered what poor management results in do they go back and do the album feature properly?

      Nope, just charge the customer twice.

      Sounds like a go-getter that needs to be promoted for increasing sales and managing underlings “efficiently”, said the next layer of middle management.

  9. d3x said on September 5, 2023 at 7:33 pm

    When will those comments get fixed? Was every editor here replaced by AI and no one even works on this site?

  10. Scroogled said on September 5, 2023 at 10:47 pm

    Instead of a software company, Microsoft is now a fraud company.

  11. ard said on September 7, 2023 at 4:59 pm

    For me this is proof that Microsoft has a back-door option into all accounts in their cloud.
    quote “…… as the MSA key allowed the hacker group access to virtually any cloud account at Microsoft…..”

    so this MSA key which is available to MS officers can give access to all accounts in MS cloud.This is the backdoor that MS has into the cloud accounts. Lucky I never got any relevant files of mine in their (MS) cloud.

  12. Andy Prough said on September 7, 2023 at 6:52 pm

    >”Now You: what is your theory?”

    That someone handed an employee a briefcase full of cash and the employee allowed them access to all their accounts and systems.

    Anything that requires 5-10 different coincidences to happen is highly unlikely. Occam’s razor.

  13. TelV said on September 8, 2023 at 12:04 pm

    Good reason to never login to your precious machine with a Microsoft a/c a.k.a. as the cloud.

  14. Anonymous said on September 18, 2023 at 1:23 pm

    The GAFAM are always very careless about our software automatically sending to them telemetry and crash dumps in our backs. It’s a reminder not to send them anything when it’s possible to opt out, and not to opt in, considering what they may contain. And there is irony in this carelessness biting them back, even if in that case they show that they are much more cautious when it’s their own data that is at stake.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.