US government agencies got hacked after Microsoft lost its keys
In a major cybersecurity incident, Microsoft disclosed last week that a group of hackers believed to be linked to China successfully infiltrated the email accounts of over two dozen organizations across the globe.
With targets ranging from U.S. Commerce Secretary Gina Raimondo to undisclosed organizations, the scope of the breach is extensive. The targets of this breach also included other government agencies in the United States and Western European countries, marking a concerning development in the realm of cyber espionage.
In a new advisory published on its website, Microsoft admitted saying, “The method by which the actor acquired the key is a matter of ongoing investigation. Though the key was intended only for MSA accounts, a validation issue allowed this key to be trusted for signing Azure AD tokens.”
But fast forward four days later, Microsoft said that it still doesn’t know how Chinese hackers stole an inactive Microsoft account (MSA) consumer signing key used to breach the Exchange Online and Azure AD accounts of these organizations. The company remains tight-lipped about how Chinese-backed hackers managed to acquire a crucial key that allowed them to infiltrate multiple email accounts, including those of various federal government agencies.
The Redmond-based tech giant disclosed that the hackers acquired one of its consumer signing keys, typically used to secure consumer email accounts like Outlook.com. However, the hackers cunningly used this key to forge tokens and gain unauthorized access to enterprise inboxes, exploiting a “validation error” in Microsoft’s code.
In a blog post, Microsoft attributed the breach to a newly discovered espionage group known as Storm-0558, believed to have strong ties to China. While the U.S. government has not officially attributed the hacks, China’s top foreign ministry spokesperson has vehemently denied any involvement. The breach, which began in mid-May, exploited undisclosed vulnerabilities within Microsoft’s cloud infrastructure, rather than targeting individual email servers.
“Microsoft Threat Intelligence assesses with moderate confidence that Storm-0558 is a China-based threat actor with activities and methods consistent with espionage objectives. While we have discovered some minimal overlaps with other Chinese groups such as Violet Typhoon (ZIRCONIUM, APT31), we maintain high confidence that Storm-0558 operates as its own distinct group,” Microsoft said in a statement.
The company also added, “In past activity observed by Microsoft, Storm-0558 has primarily targeted US and European diplomatic, economic, and legislative governing bodies, and individuals connected to Taiwan and Uyghur geopolitical interests.”
While the immediate threat appears to be contained, questions still remain about Microsoft’s lack of visibility into the intrusions and the level of security logging provided to government departments. The company has been criticized for reserving security logs for higher-tier accounts, potentially hindering incident response efforts for those with lower-tier accounts. As Microsoft faces scrutiny and pressure to address these concerns, it remains to be seen how the technology giant will navigate this complex and far-reaching investigation.
Meanwhile, the hackers also made a critical mistake that played into the hands of Microsoft investigators. By using the same key to infiltrate multiple inboxes, their actions created a pattern that became visible to Microsoft’s scrutiny across both enterprise and consumer systems. Consequently, Microsoft was able to identify and notify those who were compromised, shedding light on the extent of the breach.
Although Microsoft claims to have blocked all unauthorized activity related to the breach, the company still faces scrutiny for its handling of the incident, especially given its significance as one of the largest breaches of unclassified government data since the SolarWinds attack in 2020. The incident also raises questions about Microsoft’s approach to managing vulnerabilities.
For example, Microsoft went to great lengths to carefully word its blog post, avoiding terms like “zero-day,” which refers to vulnerabilities exploited before a software maker has the chance to fix them. Despite debates about whether the bug or its exploitation truly fits the definition of a zero-day, Microsoft opted to steer clear of using such terminology or even acknowledging it as a vulnerability.
Adding to the complexity, the breach was exacerbated by a lack of visibility within the government departments themselves. Microsoft is also taking heat for reserving security logs for the government accounts with the company’s top-tier package that may have helped other incident responders identify malicious activity.
CNN first reported that the State Department initially detected the breach and reported it to Microsoft, while other government departments lacked the same level of logging capabilities. The Wall Street Journal highlighted that higher-tier Microsoft accounts had access to greater security logging, while lower-tier government accounts failed to track specific mailbox data that could have revealed the attack. This disparity in logging availability has drawn criticism, and Microsoft has acknowledged that it is evaluating feedback on the matter. TechCrunch also piled on with this piece titled, “Microsoft lost its keys, and the government got hacked.”
Although Microsoft provided additional technical details and indicators of compromise in their disclosure on Friday, there are still unanswered questions that the company needs to address. While the investigation continues, it’s clear that Microsoft will not be able to easily shake off the consequences of this breach in the near future.