Microsoft still isn't sure how Chinese hackers got access to its systems

OpenVPN-protokollet - därför är det så bra (Image credit: Shutterstock)

Microsoft is still trying to figure out how Chinese hackers managed to steal a Microsoft account consumer signing key (MSA) and use it to target more than two dozen email accounts from various businesses and government organizations in the West.

In an in-depth analysis of the incident, the company confirmed that the theft was still being investigated: "The method by which the actor acquired the key is a matter of ongoing investigation," it says in the writeup. “Though the key was intended only for MSA accounts, a validation issue allowed this key to be trusted for signing Azure AD tokens. This issue has been corrected.”

Further in the report, the company says that its investigation, which began roughly a month ago, found that the post-compromise activity was “limited to email access and exfiltration for targeted users.”

Microsoft has since fixed the issue, saying no activity from the user’s side is needed. Still, the emails were breached and sensitive data most likely taken. The group behind the attack is being tracked as Storm-0558, with Microsoft saying it’s a Chinese cyber-espionage group focused on data theft. 

Analysis: Why does it matter?

The attack was most likely conducted by a Chinese state-sponsored threat actor, which means that the Chinese government is behind it. Furthermore, in the attack, some of the victims are U.S. government agencies, such as the State Department and the Department of Commerce. If the Chinese obtained sensitive information from these email accounts (which they probably have) it can have major implications for the state of national security. Also, obtaining private, sensitive data allows the threat actors to mount even more devastating attacks, including identity theft, wire fraud, ransomware, and more.

In more recent times, the relations between the United States and China have significantly eroded. While tensions escalated around the development of 5G infrastructure, and the Trump administration banning Huawei from developing key parts of the network, things started heating up even more around Taiwan. While China seems to be preparing for an all-out invasion to, as it claims, reunite Taiwan with mainland China and return it under its sovereignty, US President Joe Biden said the States will defend the island nation even with arms, if need be. 

 Stealing sensitive data from the US government might give China an edge as it tackles its Western adversary on the global stage.  

What have others said about it?

Microsoft explained it spotted the campaign, which at the time was active for roughly a month, after being tipped off by a customer. It was later discovered that the customer was, in fact, the U.S. State Department. 

The attack was conducted using forget authentication tokens which allowed threat actors to access emails using an acquired Microsoft account consumer signing key, the company confirmed. This is the key that Microsoft still doesn’t how it got stolen. 

“Microsoft investigations determined that Storm-0558 gained access to customer email accounts using Outlook Web Access in Exchange Online (OWA) and by forging authentication tokens to access user email,” Microsoft explained. 

“The actor used an acquired MSA key to forge tokens to access OWA and MSA (consumer) keys and Azure AD (enterprise) keys are issued and managed from separate systems and should only be valid for their respective systems. The actor exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail. We have no indications that Azure AD keys or any other MSA keys were used by this actor. OWA and are the only services where we have observed the actor using tokens forged with the acquired MSA key.”

There is nothing for potentially affected customers to do in order to stay secure, Microsoft added, as the update was done from the company’s side. The Redmond software giant said it contacted targeted firms directly, and provided them with important information needed for mitigation and response. “If you have not been contacted, our investigations indicate that you have not been impacted,” Microsoft concluded.

In its report on the news, BleepingComputer added that after all active MSA signing keys were revoked, and the API flaw enabling mitigated, the attackers switched to new techniques. “Further, we have seen Storm-0558 transition to other techniques, which indicates that the actor is not able to utilize or access any signing keys," Microsoft said.

SC Magazine, on the other hand, reminds its readers that this was no ordinary cyberattack, but rather an “advanced and strategically-executed” attack.

“Nation-state attackers have the resources and skills to break into accounts, and they can also go undetected once inside. In this attack, the Storm-0558 attackers were lurking within government email accounts, with access to the data in those accounts, for as long as a month before targeted agencies noticed anomalous mail activity,” it reminds.

The publication also says that IT teams usually face an uphill battle against cybercriminals, as the latter often abuse previously unknown flaws to breach systems and infiltrate endpoints. However, that doesn’t mean they can’t fight them. It just means they need a “layered security approach”, which includes MFA, app security programs, behavior-based anomaly detection, and more.

Go deeper

If you want to learn more about this attack, make sure to read our initial report. Also, you should read our in-depth guide on what is phishing,  what are the best firewalls for an SMB, and our guide on the best malware removal tools right now. 

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.