Microsoft doesn’t know or want to discuss how China-backed hackers obtained a key to covertly break into hundreds of email inboxes, including those of multiple federal government institutions.
In a blog post Friday, Microsoft said it was “ongoing investigation” how the hackers obtained a Microsoft signature key and used it to counterfeit authentication tokens to access inboxes as if they were the owners. U.S. Commerce Secretary Gina Raimondo, State Department officials, and other unnamed organizations are reportedly targets.
Microsoft announced the month-long action last Tuesday, attributing it to Storm-0558, a newly found espionage cell it believes is linked to China. The breaches, which began in mid-May, targeted a small number of government accounts in the single digits and exfiltrated some unclassified email data, according to CISA. China’s senior foreign ministry official disputed the hacks on Wednesday.
This hacker squad targeted Microsoft’s cloud vulnerabilities instead of China’s previously unknown weaknesses to steal corporate data from Microsoft-powered email systems.
Microsoft said the hackers stole an MSA key, which the company uses to safeguard consumer email accounts like Outlook.com, in its blog post. Microsoft believed the hackers were faking authentication tokens using an acquired business signing key to secure corporate and enterprise email accounts. Microsoft discovered that hackers were forging tokens to break into enterprise inboxes using that consumer MSA key. Microsoft blamed a “validation error in Microsoft code.”
Microsoft claimed it blocked “all actor activity” linked to this event, indicating that the hackers lost access. Microsoft said it has tightened its key issuance processes to prevent hackers from creating another digital skeleton key.
The hackers erred. Microsoft said investigators could “see all actor access requests which followed this pattern across both our enterprise and consumer systems” by raiding multiple inboxes with the same key. Microsoft claimed it notified those compromised.
Microsoft is being criticized for its handling of the issue, which is believed to be the largest compromise of unclassified government data since the 2020 Russian espionage campaign that penetrated SolarWinds.
According to Dan Goodin of Ars Technica, Microsoft avoided phrases like “zero-day” in its blog post to avoid damage control. Microsoft refused to designate the flaw a zero-day or a vulnerability, regardless of whether it was.
Lack of government department visibility into intrusions compounded the significant leak and misuse. Microsoft is also being criticized for reserving security logs for government customers with its top-tier package, which may have helped incident responders uncover illicit activities.
CNN stated that the State Department revealed the incident to Microsoft first. According to the Wall Street Journal, only government agencies with higher-paid Microsoft accounts had security logging. Last week, a CISA officer complained about logging. “Evaluating feedback,” Microsoft informed the Journal.
Microsoft’s Friday announcement provided more technical facts and indicators of penetration that incident responders can use to determine if their networks were targeted, but the tech giant still has questions. Microsoft may never end the probe, even if it knows the answers.