Microsoft says Chinese hackers gained access to US government email accounts

News
By published

Hackers reportedly had access for a month before being pushed out

security
OpenVPN-protokollet - därför är det så bra (Image credit: Shutterstock)

A Chinese threat actor was able gain access to more than two dozen Microsoft email accounts belonging to various organizations in the West, the company has revealed.

Microsoft explained the details in an advisory published on the company’s website, noting it spotted the threat actor it tracks as Storm-0558 targeting government agencies in Western Europe, after being tipped off by customers in mid-June. 

A deeper investigation uncovered that Storm-0558 started its campaign in mid-May this year, gaining access to email accounts of roughly 25 organizations, including government firms.

Forging authentication tokens

The attack was conducted using forget authentication tokens which allowed threat actors to access emails using an acquired MIcrosoft account consumer signing key, the company confirmed.

“Microsoft investigations determined that Storm-0558 gained access to customer email accounts using Outlook Web Access in Exchange Online (OWA) and Outlook.com by forging authentication tokens to access user email,” Microsoft explained. 

“The actor used an acquired MSA key to forge tokens to access OWA and Outlook.com. MSA (consumer) keys and Azure AD (enterprise) keys are issued and managed from separate systems and should only be valid for their respective systems. The actor exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail. We have no indications that Azure AD keys or any other MSA keys were used by this actor. OWA and Outlook.com are the only services where we have observed the actor using tokens forged with the acquired MSA key.”

Read more

> Microsoft denies massive user data breach - here's all we know so far

> Nearly all Microsoft 365 customers have suffered email data breaches

> These are the best firewalls right now

Microsoft’s post-activity telemetry suggests that the attack was successfully mitigated, and that Storm-0558 no longer has access to these accounts. However, the company did not discuss the damage that was done in the month while the attackers had access. 

What it did confirm is that the group is usually focused on espionage, data theft, and credential access, against entities in Western Europe.

There is nothing for potentially affected customers to do in order to stay secure, Microsoft added, as the update was done from the company’s side. The Redmond software giant said it contacted targeted firms directly, and provided them with important information needed for mitigation and response. 

“If you have not been contacted, our investigations indicate that you have not been impacted,” Microsoft concluded.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
China
Microsoft says Chinese Silk Typhoon hackers are targeting cloud and IT apps to steal business data
Phishing
Russian cyberattackers spotted hitting Microsoft Teams with new phishing campaign
A padlock resting on a keyboard.
Massive botnet is targeting Microsoft 365 accounts across the world
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
Microsoft Teams and other Windows tools hijacked to hack corporate networks
Flag of the People's Republic of China overlaid with a technological network of wires and circuits.
One of the biggest flaws exploited by Salt Typhoon hackers has had a patch available for years
Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
Microsoft reveals over a million PCs hit by malvertising campaign
Latest in Pro
NHS
NHS IT supplier hit with major fine following ransomware attack
A business woman looking at AI on a transparent screen
Most businesses are now fully embracing AI - but aren't always protected against the risks
Hands on a laptop with overlaid logos representing network security
Winning the war on ransomware with multi-layer security
Protection from AI hacker attacks
Maintaining SAP’s confidentiality, integrity, and availability triad
A trough sensor at Overbury farm
“It's wildlife working for you” - how Agri-Tech can help revolutionize British farming as we know it
Epson EcoTank ET-4850 next to a TechRadar badge that reads Big Savings
I found the best printer deal you won't see in the Amazon Spring Sale and it's got a massive $150 saving
Latest in News
A PC gamer celebrating, sat in a gaming chair in front of a monitor
Windows 11’s Game Bar gets a fresh coat of paint, plus a tweak to work better on handhelds – and I like the direction Microsoft’s heading in here
NHS
NHS IT supplier hit with major fine following ransomware attack
A business woman looking at AI on a transparent screen
Most businesses are now fully embracing AI - but aren't always protected against the risks
The Samsung Galaxy S25 Edge on display the January 22, 2025 Galaxy Unpacked event.
All three rumored Samsung Galaxy S25 Edge colors shown off in ‘official’ images
Cristiano Ronaldo promotional image for Fatal Fury: City of the Wolves
Yes, Cristiano Ronaldo is a playable character in Fatal Fury: City of the Wolves, and it makes more sense than you think
inZOI.
inZOI early access won't feature Denuvo DRM after all, 'we are committed to making inZOI a highly moddable game'
More about pro
NHS

NHS IT supplier hit with major fine following ransomware attack
A business woman looking at AI on a transparent screen

Most businesses are now fully embracing AI - but aren't always protected against the risks
Garmin Fenix 8 vs Enduro 3 comparison

Garmin adds premium Garmin Connect+ tier with AI features – but promises your free experience ‘is not going away’
See more latest
Most Popular
Garmin Fenix 8 vs Enduro 3 comparison
Garmin adds premium Garmin Connect+ tier with AI features – but promises your free experience ‘is not going away’
Microsoft Copilot combines the Microsoft 365 apps, Microsoft Graph and Artificial Intelligence. Isolated 3D logo on a surface
Microsoft adds Copilot AI features to Windows 11's Photos app - and I actually don't hate them
NHS
NHS IT supplier hit with major fine following ransomware attack
Nintendo Direct live blog.
Nintendo Direct live build-up: no Switch 2, but these are our predictions for what we could see
A PC gamer celebrating, sat in a gaming chair in front of a monitor
Windows 11’s Game Bar gets a fresh coat of paint, plus a tweak to work better on handhelds – and I like the direction Microsoft’s heading in here
inZOI.
inZOI early access won't feature Denuvo DRM after all, 'we are committed to making inZOI a highly moddable game'
The Samsung Galaxy S25 Edge on display the January 22, 2025 Galaxy Unpacked event.
All three rumored Samsung Galaxy S25 Edge colors shown off in ‘official’ images
Robert Downey Jr sitting in a chair and holding a finger to his lips during Marvel's Avengers: Doomsday cast reveal
'There is always room for more': Marvel drops big hint that it isn't done with its Avengers: Doomsday cast announcements
Cristiano Ronaldo promotional image for Fatal Fury: City of the Wolves
Yes, Cristiano Ronaldo is a playable character in Fatal Fury: City of the Wolves, and it makes more sense than you think
A business woman looking at AI on a transparent screen
Most businesses are now fully embracing AI - but aren't always protected against the risks