An anonymous US Federal Civilian Executive (FCEB) agency detected unusual email activity in mid-June 2023, leading to the discovery of a new China-related espionage campaign by Microsoft targeting 20 organizations. rice field.
The details are according to a joint cybersecurity advisory issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) on July 12, 2023.
“In June 2023, Federal Civilian Executive (FCEB) agencies identified suspicious activity in Microsoft 365 (M365) cloud environments,” the agency said. “Microsoft has determined that an Advanced Persistent Threat (APT) attacker accessed unclassified Exchange Online Outlook data and exfiltrated it.”
The government agency was not named, but CNN and the Washington Post said it was the U.S. State Department, citing people familiar with the matter. In addition to the Department of Commerce, email accounts of congressional officials, U.S. human rights activists, and U.S. think tanks were also targeted. The number of affected organizations in the US is estimated to be in the single digits.
The disclosure comes a day after the tech giant attributed the campaign to an emerging “China-based actor” tracking it under the name Storm-0558. The attackers primarily target government agencies in Western Europe, with a focus on espionage and data theft. Evidence collected so far indicates that malicious activity had begun a month prior to his detection.
However, China has denied accusations that it was behind the hacking incidents, calling the United States “the world’s largest hacking empire and a global cyber thief” and stating that “the United States has explained its cyberattack activities, “It’s time to stop spreading disinformation to distract the public.” . ”
This attack chain involved accessing customer email accounts using Exchange Online (OWA) and Outlook Web Access on Outlook.com, leveraging cyberspy’s forged authentication tokens. The token was forged using the obtained Consumer Signing Key for her Microsoft Account (MSA). Exactly how the key was protected remains unknown.
Shielding Against Insider Threats: Mastering SaaS Security Posture Management
Worried about insider threats? We’ve got you covered! Join us for this webinar to explore practical strategies and proactive security secrets using SaaS Security Posture Management.
join today
Storm-0558 also uses two custom malware tools, Bling and Cigril, to facilitate access to credentials. The latter is characterized as a Trojan that decrypts encrypted files and runs directly from system memory to avoid detection.
CISA said the FCEB agency was able to identify the breach by utilizing Microsoft Purview Audit’s enhanced logs, specifically the MailItemsAccessed mailbox audit action.
The agency also requires organizations to enable Purview Audit (Premium) logs, enable Microsoft 365 Unified Audit Logging (UAL), and allow operators to search the logs to track this type of activity and It is recommended to be able to distinguish from expected behavior in . .
“Organizations are encouraged to look for outliers and familiarize themselves with baseline patterns to better understand anomalous versus normal traffic,” CISA and the FBI added.
