The story so far: In July, Microsoft said that a China-based hacking group breached U.S. government-linked email accounts. The company said the group identified as Storm-0558, gained access to email accounts of 25 organisations, including Western European government agencies, email accounts from top American officials such as Commerce Secretary Gina Raimondo, U.S. Ambassador to China Nicholas Burns, and Assistant Secretary of State for East Asia Daniel Kritenbrink. The attacks stemmed from the compromise of a Microsoft engineer’s corporate account. The company further explained that hackers were able to extract a cryptographic key from the engineer’s account to access into email accounts. The flaw has been fixed now.
When did the attacks start?
The attack on email accounts of American government officials was first noticed when customers reported abnormal activity on June 16. Microsoft then began an investigation which revealed that from May 15, Storm-0558 gained access to email accounts affecting approximately 25 organisations in the public cloud including government agencies as well as related customer accounts of individuals associated with them.
What is Storm-0558?
Microsoft Threat Intelligence “with moderate confidence” assessed that Storm-0558 is a China-based threat actor with activities and methods consistent with espionage objectives. The group is thought to operate as its own distinct group and its core working hours are consistent with working hours in China, Microsoft said in a blog post.
In the past, the group has been seen to have primarily targeted U.S. and European diplomatic, economic, and legislative governing bodies, and individuals connected to Taiwan and Uyghur geopolitical interests. The group has been targeting Microsoft accounts since August 2021 and had reportedly obtained credentials for initial access through phishing campaigns and exploited vulnerabilities in public-facing applications to gain access to victims’ networks.
How did the threat actors breach Microsoft’s security?
The China-based threat actor was able to compromise Microsoft’s cloud security systems by using an acquired MSA key to forge tokens to access Outlook Web Access (OWA), Microsoft’s web-based mail client that is part of the company’s Exchange Server, Outlook.com. MSA keys are token signing keys used by a service to validate authentication tokens for the service.
Hackers then used the acquired key to forge a token that was used for validation issues to impersonate Azure AD users and gain access to enterprise email.
What is a cryptographic key?
A cryptographic key is a string of characters used within an encryption algorithm to alter data making it illegible to someone without the correct key. Like a physical key, a cryptographic key encrypts data and is used to decrypt the encased data by the holder of the key.
In the case of SSL encryption (HTTPS), two types of encryptions are used. They can be symmetric and asymmetric encryptions. In symmetric encryption, both sides of a conversation use the same key for turning plain text into cyphers (encrypted) text.
However, in asymmetric or public key encryption, the two sides of the conversation use a different key. A public key and a private key, the private key is never shared by the party with anyone. When plaintext is encrypted with the public key, only the private key can decrypt it, not the public key.
How did hackers acquire MSA keys?
Microsoft, after its technical investigation into the attack, revealed that the key was stolen from its corporate environment due to a series of errors. Threat actors compromised a Microsoft engineer’s account gaining access to the company’s network and debugging environment. A debugging environment is used by companies to test their products during production and fix errors and bugs in the source code before they are released to the public.
In this case, the consumer signing key was present in the debugging environment due to a consumer signing crash in April 2021, that resulted in a snapshot of the crashed process. A crash dump is a file of digital records related to the crash. The crash dump should not have included the signing key of the consumers, Microsoft said in a blog post. And, since Microsoft says it was not aware of the presence of the key in the crash dump, the dump was moved outside the isolated production network into the company’s debugging network, connected to its internet-connected corporate network.
Microsoft’s investigation into the report further adds that the company does not have logs related to the “specific evidence of this exfiltration by this actor”, the engineer’s account, due to their log retention policies. The company, however, says that this was the most probable mechanism by which the actor acquired the key.
Microsoft did not reveal the identity of the engineer whose account was compromised by threat actors to access the keys.
Why was a consumer key accessible to the engineer’s account?
Microsoft introduced a common key metadata publishing endpoint in September 2018. Microsoft says it provided an API to help “validate the signatures cryptographically but did not update their libraries to perform this scope validation automatically”.
The company further added that developers in the mail system incorrectly assumed libraries performed complete validation and did not add the required issuer/scope validation. This allowed the mail system to accept or request enterprise email using a security token signed with the consumer key. Microsoft says the issue has been corrected.
How has China responded to reports of the attack?
China called the Microsoft report about the China-based hacking group breaching government-linked email accounts “disinformation”, a report from AP said. A Chinese foreign ministry spokesman, Wang Wenbin, further added the accusation was “disinformation” aimed at diverting attention from U.S. cyberattacks on China. “No matter which agency issued this information, it will never change the fact that the United States is the world’s largest hacker empire conducting the most cyber theft,” Mr. Wang added in a routine briefing.