A Chinese hacking group has breached the email accounts of more than two dozen organizations worldwide, including U.S. and Western European government agencies, according to Microsoft.
The attacks have been pinned on a threat group tracked as Storm-0558, believed to be a cyber-espionage outfit focused on collecting sensitive information by breaching email systems.
Microsoft started investigating these attacks on June 16, 2023, following customer reports regarding unusual Office 365 mail activity.
The company discovered that starting from May 15, 2023, Storm-0558 threat actors managed to access Outlook accounts belonging to roughly 25 organizations (reportedly including the U.S. State and Commerce Departments) and some consumer accounts likely connected to them.
However, Microsoft did not share what organizations, government agencies, or countries were affected by these email breaches.
To do that, the attackers used authentication tokens forged with the help of a stolen Microsoft account (MSA) consumer signing key.
"Microsoft investigations determined that Storm-0558 gained access to customer email accounts using Outlook Web Access in Exchange Online (OWA) and Outlook.com by forging authentication tokens to access user email," Microsoft said in a blog post published late Tuesday evening.
"The actor used an acquired MSA key to forge tokens to access OWA and Outlook.com. MSA (consumer) keys and Azure AD (enterprise) keys are issued and managed from separate systems and should only be valid for their respective systems. The actor exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail."
Microsoft added that it found no evidence indicating any additional unauthorized access after it "completed mitigation of this attack."
Discovered and reported by the U.S. government
The incident was reported to Microsoft by U.S. government officials last month after the discovery of unauthorized access to Microsoft cloud-based email services.
This was confirmed by National Security Council spokesperson Adam Hodge in a statement shared with CNN.
"Last month, US government safeguards identified an intrusion in Microsoft's cloud security, which affected unclassified systems," Hodge told CNN.
"Officials immediately contacted Microsoft to find the source and vulnerability in their cloud service. We continue to hold the procurement providers of the US Government to a high security threshold."
On Tuesday, Microsoft also revealed that the RomCom Russian-based cybercriminal group exploited an unpatched Office zero-day in recent spear-phishing attacks targeting organizations attending the NATO Summit in Vilnius, Lithuania.
Comments
Winston2021 - 10 months ago
So, what are the intrusion stats of what I perceive to be the potential "one stop shopping" the cloud presents to hackers, allowing multiple organizations to be compromised with perhaps one method versus their need to attack multiple targets individually? Is the cloud actually more secure on average or is it just a way to save money?
EndangeredPootisBird - 10 months ago
To save money. Thank neoliberalism for that.