Microsoft thinks it knows how Chinese hackers were able to breach US government accounts

An old crash dump was most likely to blame, Microsoft says

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Microsoft’s investigation into the recentStorm-0558 cyberattackhas concluded by claiming the company now knows how the Chinese threat actor accessed US government email accounts.

Two months ago, a Chinese hacking group known as Storm-0558 accessed more than two dozen Microsoft email accounts belonging to various organizations in the West, including several US government agencies.

Initial investigation showed that the hackers used a previously obtained Microsoft account (MSA) consumer key to forge tokens to access OWA and Outlook.com.

Correcting issues

What remained a mystery was how the hackers obtained that consumer key in the first place. Two months later, the Redmond giant’s in-depth investigation concluded, showing that the signing key was included in a consumer signing system crash dump, from April 2021.

“The crash dumps, which redact sensitive information, should not include the signing key,” Microsoft explained. “In this case, a race condition allowed the key to be present in the crash dump (this issue has been corrected). The key material’s presence in the crash dump was not detected by our systems (this issue has been corrected).”

The crash dump was then moved into the company’s debugging environment on the internet-connected corporate network. While this is consistent with the company’s standard debugging process, it made it possible for hackers to steal. In the months following the crash dump’s creation, a member of Storm-0558 obtained a Microsoft corporate account belonging to an engineer, and given that the account had access to the debugging environment, they managed to grab the crash dump from one of theendpoints.

“Due to log retention policies, we don’t have logs with specific evidence of this exfiltration by this actor, but this was the most probable mechanism by which the actor acquired the key,” Microsoft concluded.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

At the time of the breach, Microsoft revoked all valid MSA signing keys, effectively shutting the hackers out.

More security news from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Windows PCs targeted by new malware hitting a vulnerable driver

Dangerous Android banking malware looks to trick victims with fake money transfers

Latest Google Pixel update includes surprise launch of Android 15’s best battery feature