In a confirmation by Microsoft, it has been revealed that Chinese hackers exploited a vulnerability in Microsoft’s cloud email service, resulting in unauthorized access to the email accounts of U.S. government employees. The hacking group, known as Storm-0558, successfully compromised around 25 email accounts, including those belonging to government agencies and individuals associated with these organizations.
Microsoft, using the codename “Storm” to track emerging or developing hacking groups, has not disclosed the specific government agencies targeted by Storm-0558. However, Adam Hodge, a spokesperson for the White House’s National Security Council, has confirmed that U.S. government agencies were indeed affected by the breach.
The State Department was identified as one of the federal agencies compromised in the attack. The breach was initially alerted to Microsoft by State Department officials. Upon investigation, Microsoft determined that Storm-0558, a well-resourced Chinese hacking group, gained unauthorized access to email accounts by exploiting Outlook Web Access in Exchange Online (OWA) and Outlook.com. The hackers utilized acquired Microsoft consumer signing keys to forge authentication tokens, allowing them to impersonate Azure AD users and gain entry to enterprise email accounts.
The malicious activity of Storm-0558 went undetected for approximately a month until Microsoft received reports from customers about abnormal mail behavior. Microsoft promptly mitigated the attack, ensuring that Storm-0558 no longer had access to the compromised accounts. However, it remains unclear whether any sensitive data was exfiltrated during the period when the attackers had control.
Charlie Bell, Microsoft’s top cybersecurity executive, stated that the hacking group appeared to be focused on espionage, specifically targeting email systems for intelligence collection. The motive behind this type of espionage is to abuse credentials and gain access to data residing in sensitive systems.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory, revealing that the attackers had accessed unclassified email data. Additionally, a senior FBI official described the intrusion as a targeted campaign and confirmed that the number of impacted government agencies was in single digits, without disclosing the specific agencies involved.
While the overall impact of the incident remains uncertain, CISA has determined that a government-backed actor, which the U.S. government has not attributed to China yet, exfiltrated a limited amount of Exchange Online data.
CISA and the FBI are urging organizations to report any anomalous activity detected in Microsoft 365 to the respective agencies. The investigation is ongoing, and Microsoft is working to enhance the security of its cloud services to prevent similar attacks in the future.