As more details emerge of the Microsoft Azure Cloud Email hack by China-based hackers, The Wall Street Journal is now reporting that targets include the U.S. State Department and U.S. Commerce Secretary Gina Raimondo. The news breaks as the U.S. continues to attempt to smooth relations with China, with Biden Administration officials such as Antony Blinken visiting Beijing.
The State Department said that “a small number” of State Department employees were compromised in the attack. Consistent with prior reports, they do not believe sensitive national security information was accessed.
U.S. State Department, Commerce Department confirms cybersecurity breach
The Journal reports that cybersecurity specialists at the State Department were the first to detect the espionage campaign that leveraged a vulnerability in the Microsoft Azure cloud environment.
“We took immediate steps to secure our systems and notified Microsoft,” states State Department spokesperson Matt Miller.
The U.S. Commerce Department also confirmed that it had been a part of the espionage attack in a statement.
“Microsoft notified the department of a compromise to Microsoft’s Office 365 system, and the department took immediate action to respond,” a Commerce Department spokesman said in a statement. “We are monitoring our systems and will respond promptly should any further activity be detected.”
Who is Storm-0558, the Chinese Hackers Responsible?
Microsoft has officially dubbed the Chinese hackers responsible for the cyber espionage attacks as “Storm-0558.” The company recently changed the way it names cyber threat actors, using naming conventions after weather. “Storm” represents “groups in development”, whereas “Typhoon” represents confirmed China ties.
Storm-0558 has “China ties” according to their analysis of the event.
Microsoft investigations determined that Storm-0558 gained access to customer email accounts using Outlook Web Access in Exchange Online (OWA) and Outlook.com by forging authentication tokens to access user email.
Further research by Microsoft confirmed that Storm-0558 used an acquired MSA key to forge tokens to access OWA and Outlook.com. MSA (consumer) keys and Azure AD (enterprise) keys are issued and managed from separate systems and should only be valid for their respective systems.
Storm-0558 then exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail.
At this time, it is not believed that Storm-0558 had anything to do with the recent distributed denial of service (DDoS) attacks that plagued Microsoft Azure and Outlook / 365 applications in June.
