Posted on July 19, 2023 at 6:45 AM

Chinese State-Sponsored Hackers Stole A Key Allowing Them To Breach Key Government Agencies

Microsoft was the victim of a hacking campaign by Chinese state-sponsored hackers. The hackers in question stole a key that enabled them to stealthily gain access to dozens of email messages. The breach also affected some US federal government agencies whose emails were also breached by hackers.

Chinese hackers stole a Microsoft key to hack the government

Microsoft created a blog post on Friday saying that it was investigating how the hackers behind the breach gained access to a Microsoft signing key that was later exploited to forge the authentication tokens, enabling the threat actors to access email inboxes without being detected.

The reports published on the matter have said that some of the federal agencies that were targeted by the hackers include the State Department. The US Commerce Secretary Gina Raimondo was also targeted by the hackers. A wide range of organizations that have not been revealed were also attributed to the breach.

The incident was reported by Microsoft last week, with the tech giant attributing the hacking campaign to an espionage group known as Storm-0558. According to Microsoft, this hacker group has close ties to China.

CISA has already acknowledged the hacking attacks that are said to have started in mid-May, where hackers stole unclassified email data. The top foreign ministry in China has already denied the allegations of the country being behind the hacking attacks.

China has been attributed to several unknown vulnerabilities in the past, with the main focus of such attacks being espionage. However, unlike in past attacks where hackers gained access to Microsoft-powered email servers, the hacker group went to the source directly after targeting new and undisclosed flaws within Microsoft Cloud.

Microsoft has published a blog post saying that the hackers gained access to a consumer signing key that is used by the company to secure email accounts. According to Microsoft, it had initially believed that the hackers had forged the authentication tokens through an acquired enterprise signing key used to secure corporate and enterprise email accounts.

According to Microsoft, the hackers used consumer MSA keys to forge tokens, allowing them to access enterprise inboxes. The company has also said that it blocked all activity linked to the threat actor group regarding the incident. It further said it improved the key issuance systems to prevent hackers from running another campaign.

Microsoft also said that the hackers used a single key to obtain access to different inboxes. According to the firm, the move allowed investigators to monitor all the access requests by the threat actor, allowing the company to know the customers that were compromised and the ones that were not compromised.

Microsoft faces criticism over poor handling of breach

The immediate hack is believed to be over, with Microsoft currently facing scrutiny over its handling of the incident. The hack is believed to be the greatest compromise of unclassified government data since the Russian espionage campaign targeted SolarWinds in 2020.

Dan Goodin from Ars Technica said that the tech company has been doing some damage control. The firm did not mention that the exploit was caused by a zero-day flaw. Instead, it has only referred to it as a vulnerability.

Microsoft is also facing criticism over its policy regarding security logs. Government accounts usually pay for the top-tier package, allowing them to detect the flaw easily. However, the same did not extend to others, making it impossible for those with the top package to detect malicious activity.

According to CNN, the State Department had initially detected the breach before reporting it to Microsoft. However, not all government departments had access to the security logging enabled by the top-tier package,

A blog post by a consultancy firm noted that lower-tier packages offer some level of logging but fail to keep track of mailbox data that would have otherwise been revealed in the exploit. An official from CISA has also criticized the lack of logging. Experts believe that if the security logs were open to all, it would have helped minimize the effects of the breach.

Following this incident, Microsoft has expanded disclosure and shared additional technical details of the hacking campaign. Security researchers can check these details to determine whether their networks were targeted.

Given the criticism being directed towards Microsoft over the security logging policy and the lack of clarity on how the hackers accessed the key, the tech giant could be facing an investigation that could drag on.