Microsoft said Tuesday it had defeated a cyberattack by Chinese nation-state actors that targeted 20 entities, including government agencies, in a cyberespionage campaign aimed at obtaining sensitive data.
The attack, which began on May 15, 2023, involved access to email accounts and affected approximately 25 organizations and a small number of associated individual consumer accounts.
The tech giant attributed the campaign to Storm-0558, describing it as a China-based nation-state activist group primarily targeting government agencies in Western Europe.
“They focus on espionage, data theft, and access to credentials,” Microsoft said. “They are also known to use custom his malware, which Microsoft tracks as his Cigril and Bling, to access credentials.”
The breach was allegedly detected on June 16, 2023, a month after an unidentified customer reported unusual email activity to the company.
Microsoft said it has notified all targeted or compromised organizations directly through their tenant administrators. It did not disclose the number of affected organizations or institutions or the number of accounts that may have been hacked.
But the Washington Post reported that the attackers also compromised a number of unclassified US email accounts.
According to Redmond, access to customer email accounts was facilitated through Outlook Web Access on Exchange Online (OWA) and Outlook.com by forging authentication tokens.
“The attackers used the obtained MSA keys to forge tokens to access OWA and Outlook.com,” it said. “MSA (consumer) keys and Azure AD (enterprise) keys must be issued and managed by separate systems and be valid only in their respective systems.”
“Attackers exploited a token validation issue to impersonate an Azure AD user to access corporate email.”
Shielding Against Insider Threats: Mastering SaaS Security Posture Management
Worried about insider threats? We’ve got you covered! Join us for this webinar to explore practical strategies and proactive security secrets using SaaS Security Posture Management.
join today
There is no evidence that the attackers used Azure AD keys or any other MSA keys to carry out their attacks. Microsoft then blocked the use of tokens signed with his MSA key obtained with OWA to mitigate the attack.
“This type of espionage adversary is abusing credentials and trying to access data residing on sensitive systems,” said Charlie Bell, executive vice president of security at Microsoft.
The disclosure comes more than a month after Microsoft exposed critical infrastructure attacks by a Chinese adversary known as Bolt Typhoon (aka Bronze Silhouette or Vanguard Panda) targeting the United States. rice field.
