Microsoft confirmed that Chinese hackers breached U.S. government employee email accounts using a cloud email service flaw.
Microsoft reported that Storm-0558 compromised 25 government agency email accounts and related consumer accounts linked to these organizations. Microsoft calls new or developing hacking groups “Storm.”
Microsoft hasn’t named Storm-0558’s government targets. Reported that White House National Security Council spokesperson Adam Hodge said U.S. government agencies were affected.
“Last month, U.S. government safeguards identified an intrusion in Microsoft’s cloud security, which affected unclassified systems,” Hodge told . “Officials immediately contacted Microsoft to find the source and vulnerability in their cloud service. We keep U.S. government procurement providers secure.
The Wall Street Journal reported that several federal agencies were compromised, including the State Department. CNN reports State informed Microsoft of the breach.
Microsoft found that Storm-0558, a “well-resourced” Chinese hacking group, used forged authentication tokens to access Outlook Web Access (OWA) and Outlook.com email accounts. Microsoft explained in its technical analysis that hackers used an acquired Microsoft consumer signing key to forge tokens to access OWA and Outlook.com. Then, they impersonated Azure AD users to access enterprise email accounts.
Microsoft said customers discovered Storm-0885’s malicious activity after a month.
“This adversary is focused on espionage, such as email system access for intelligence collection. “This type of espionage-motivated adversary seeks to abuse credentials and gain access to data in sensitive systems,” said Microsoft’s top cybersecurity executive, Charlie Bell.
Microsoft said Storm-0558 lost access to the compromised accounts after the attack was mitigated. The company has not disclosed whether the attackers stole sensitive data during their month-long access.
CISA advised that attackers accessed unclassified email data.
A senior FBI official told on Wednesday that the month-long intrusion was a “targeted campaign” but declined to confirm the number of victims. The official did not identify affected agencies.
A senior CISA official said a government-backed actor—which the U.S. government is not yet attributing to China—exfiltrated a “limited amount” of Exchange Online data.
CISA and the FBI encourage organizations to report Microsoft 365 anomalies.
FBI/CISA background added.