Microsoft has uncovered another Chinese cyber espionage operation that compromised at least 25 organizations, including the US government.
The tech giant began investigating suspicious email activity following a customer report on June 16. It was later discovered that a Chinese group tracked as Storm-0558 had been accessing customer email accounts since May 15th.
Read more about China’s threat activity: NCSC warns of Chinese cyberattacks on critical infrastructure
The group is known to target government agencies in Western Europe, with a focus on espionage, data theft and access to credentials, Microsoft said in a blog post.
The attackers appear to have accessed customer email accounts via Outlook Web Access on Exchange Online (OWA) and Outlook.com by forging authentication tokens.
“The actor used what he got [Microsoft account] MSA key for forging tokens to access OWA and Outlook.com. MSA (consumer) keys and Azure AD (enterprise) keys should be issued and managed by separate systems and should be valid only in their respective systems,” explained Microsoft.
“An attacker exploited a token validation issue to impersonate an Azure AD user to access corporate email. There is no evidence that Azure AD keys or any other MSA keys were used by this attacker. OWA and Outlook. com is the only service we have seen using forged tokens with the MSA keys obtained by the attackers.”
Microsoft blocks the use of tokens signed with the MSA key obtained with OWA, replaces the key so that hackers cannot use the key to forge further tokens, and makes the key available to all affected users. It said it mitigated the problem by blocking the use of tokens issued in . consumer customers.
Microsoft has not identified which government agencies were affected by the campaign, but the US Department of Commerce confirmed to the BBC that Microsoft was compromised.
Mandiant chief analyst John Hultquist said China’s cyber espionage operations are becoming more sophisticated.
“Rather than manipulating unsuspecting victims into opening malicious files or links, these attackers are innovating and designing new techniques that already pose challenges to us. There are,” he added.
“They have transformed their infrastructure, even the way they connect to targeted systems. Once there was access through simple proxies, or even directly from China, now they have compromised systems We connect through an elaborate, ephemeral network of proxies, which makes enemy tracking and detection extremely difficult.”
Keeper Security’s head of product, Zane Bond, claimed that Microsoft’s targeting of cloud customers helped the incident to be resolved quickly.
“From a technical perspective, this attack highlights an unexpected advantage for cloud providers that also offer security,” he said. “Because this attack targeted the cloud rather than individual customers, Microsoft was able to quickly patch all Azure customers around the world to resolve the issue.”
