Microsoft has discovered another Chinese cyber-espionage campaign that compromised at least 25 organizations including the US government.
The tech giant began an investigation into suspicious mail activity after being alerted by a customer on June 16. It subsequently found that the Chinese group, tracked as Storm-0558, had gained access to customer email accounts from May 15.
The group is known for targeting government agencies in Western Europe and focuses on espionage, data theft and credential access, Microsoft said in a blog post.
The threat actors apparently gained access to customer email accounts via Outlook Web Access in Exchange Online (OWA) and Outlook.com by forging authentication tokens.
“The actor used an acquired [Microsoft account] MSA key to forge tokens to access OWA and Outlook.com. MSA (consumer) keys and Azure AD (enterprise) keys are issued and managed from separate systems and should only be valid for their respective systems,” Microsoft explained.
“The actor exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail. We have no indications that Azure AD keys or any other MSA keys were used by this actor. OWA and Outlook.com are the only services where we have observed the actor using tokens forged with the acquired MSA key.”
Microsoft said it has mitigated the issue by blocking the use of tokens signed with the acquired MSA key in OWA, replacing the key to prevent the hackers from using it to forge more tokens, and blocking the use of tokens issued with the key for all impacted consumer customers.
Although Microsoft did not name the agencies impacted by the campaign, the US Department of Commerce confirmed to the BBC that it was compromised.
John Hultquist, chief analyst at Mandiant, explained that Chinese cyber-espionage is increasingly stealthy.
“Rather than manipulating unsuspecting victims into opening malicious files or links, these actors are innovating and designing new methods that are already challenging us,” he added.
“They've even transformed their infrastructure – the way they connect to targeted systems. There was a time when they would come through a simple proxy or even directly from China, but now they are connecting through elaborate, ephemeral proxy networks of compromised systems. The result is an adversary much harder to track and detect.”
Zane Bond, head of product at Keeper Security, argued that Microsoft was able to resolve the incident quickly thanks to its targeting of cloud customers.
“From a technical perspective, this attack highlights an unexpected advantage of cloud providers that also provide security,” he said. “Because this attack targeted the cloud, as opposed to individual customers, Microsoft was able to immediately patch and resolve this issue for all of its Azure customers globally.”