Microsoft says Chinese hackers gained access to US government email accounts

Hackers reportedly had access for a month before being pushed out

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

A Chinese threat actor was able gain access to more than two dozenMicrosoftemailaccounts belonging to various organizations in the West, the company has revealed.

Microsoft explained the details in anadvisorypublished on the company’s website, noting it spotted the threat actor it tracks as Storm-0558 targeting government agencies in Western Europe, after being tipped off by customers in mid-June.

A deeper investigation uncovered that Storm-0558 started its campaign in mid-May this year, gaining access to email accounts of roughly 25 organizations, including government firms.

Forging authentication tokens

The attack was conducted using forget authentication tokens which allowed threat actors to access emails using an acquired MIcrosoft account consumer signing key, the company confirmed.

“Microsoft investigations determined that Storm-0558 gained access to customer email accounts using Outlook Web Access in Exchange Online (OWA) and Outlook.com by forging authentication tokens to access user email,” Microsoft explained.

“The actor used an acquired MSA key to forge tokens to access OWA and Outlook.com. MSA (consumer) keys and Azure AD (enterprise) keys are issued and managed from separate systems and should only be valid for their respective systems. The actor exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail. We have no indications that Azure AD keys or any other MSA keys were used by this actor. OWA and Outlook.com are the only services where we have observed the actor using tokens forged with the acquired MSA key.”

Microsoft denies massive user data breach - here’s all we know so far>Nearly all Microsoft 365 customers have suffered email data breaches>These are the best firewalls right now

Microsoft’s post-activity telemetry suggests that the attack was successfully mitigated, and that Storm-0558 no longer has access to these accounts. However, the company did not discuss the damage that was done in the month while the attackers had access.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

What it did confirm is that the group is usually focused on espionage,data theft, and credential access, against entities in Western Europe.

There is nothing for potentially affected customers to do in order to stay secure, Microsoft added, as the update was done from the company’s side. The Redmond software giant said it contacted targeted firms directly, and provided them with important information needed for mitigation and response.

“If you have not been contacted, our investigations indicate that you have not been impacted,” Microsoft concluded.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new malware utilizes a rare programming language to evade traditional detection methods

Google puts Nvidia on high alert as it showcases Trillium, its rival AI chip, while promising to bring H200 Tensor Core GPUs within days

Arcane season 2 confirms the hit series isn’t just one of the best Netflix shows ever made – it’s an animated legend that’ll stand the test of time