Technology corporation Microsoft has announced that it was the victim of a “China-based threat actor with espionage objectives”, who has stolen emails belonging to more than 20 US organizations.
On July 14, Microsoft released a statement analyzing the hack. The company explained that the hackers, referred to as Storm-0558, had been able to exploit a software vulnerability, giving them unauthorized access to the Microsoft email accounts of approximately 25 organizations including US government agencies.
During the hack, which took place on June 16, the malicious actor “acquired an inactive MSA consumer signing key and used it to forge authentication tokens for Azure AD enterprise and MSA consumer to access OWA and Outlook.com”. The method by which the hacker acquired the inactive MSA key is currently unknown and under investigation.
The malicious actor was then able to exploit a software vulnerability that meant that the key “was trusted for signing Azure AD tokens” even though it was only intended for MSA accounts, giving them unauthorized access to victims’ email accounts. Microsoft assured customers that the software vulnerability had been patched.
After gaining access to the email accounts, Storm-0558 was able to access and exfiltrate email data including emails, attachments, conversations and email folder information. The cyber attack was discovered after the US State Department detected atypical email data access.
In their analysis, Microsoft noted that Storm-0558 generally targets “media companies, think tanks, and telecommunications equipment and service providers” with the objective of gaining “unauthorized access to email accounts belonging to employees of targeted organizations”. Storm-0558 does this by employing a number of threat vectors including “credential harvesting, phishing campaigns, and OAuth token attacks”. The malicious actors had apparently been active since August 2021.
China has refuted the allegations that Storm-0558 is a malicious actor based out of the country.