The Information Highway

The Information Highway

Font size: +
2 minutes reading time (396 words)

Microsoft: Chinese hackers breached US govt Exchange email accounts

A Chinese hacking group has breached the email accounts of more than two dozen organizations worldwide, including U.S. and Western European government agencies, according to Microsoft. 

 The attacks have been pinned on a threat group tracked as Storm-0558, believed to be a cyber-espionage outfit focused on collecting sensitive information by breaching email systems.

Microsoft started investigating these attacks on June 16, 2023, following customer reports regarding unusual Office 365 mail activity.

The company discovered that starting from May 15, 2023, Storm-0558 threat actors managed to access Outlook accounts belonging to roughly 25 organizations (reportedly including the U.S. State and Commerce Departments) and some consumer accounts likely connected to them.

However, Microsoft did not share what organizations, government agencies, or countries were affected by these email breaches.

To do that, the attackers used authentication tokens forged with the help of a stolen Microsoft account (MSA) consumer signing key.

"Microsoft investigations determined that Storm-0558 gained access to customer email accounts using Outlook Web Access in Exchange Online (OWA) and Outlook.com by forging authentication tokens to access user email," Microsoft said in a blog post published late Tuesday evening.

"The actor used an acquired MSA key to forge tokens to access OWA and Outlook.com. MSA (consumer) keys and Azure AD (enterprise) keys are issued and managed from separate systems and should only be valid for their respective systems. The actor exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail."

Microsoft added that it found no evidence indicating any additional unauthorized access after it "completed mitigation of this attack." 


Discovered and reported by the U.S. government

The incident was reported to Microsoft by U.S. government officials last month after the discovery of unauthorized access to Microsoft cloud-based email services.

This was confirmed by National Security Council spokesperson Adam Hodge in a statement shared with CNN.

"Last month, US government safeguards identified an intrusion in Microsoft's cloud security, which affected unclassified systems," Hodge told CNN.

"Officials immediately contacted Microsoft to find the source and vulnerability in their cloud service. We continue to hold the procurement providers of the US Government to a high security threshold."

On Tuesday, Microsoft also revealed that the RomCom Russian-based cybercriminal group exploited an unpatched Office zero-day in recent spear-phishing attacks targeting organizations attending the NATO Summit in Vilnius, Lithuania.

iOS 17 beta hands-on preview: The biggest changes ...
Charming Kitten hackers use new ‘NokNok’ malware f...

Related Posts

 

Comments

No comments made yet. Be the first to submit a comment
Monday, 23 December 2024

Captcha Image

Top Breaches Of 2023

Customers Affected In T-Mobile Breach
Accounts Affected In MOVEit Breach
Customers Affected In MCNA Insurance Data Breach
Individuals Affected In PharMerica Data Breach
Users Affected In ChatGPT Major Data Breach
*Founder Shield End of Year 2023