Microsoft’s investigation into the recent Storm-0558 cyberattack has concluded by claiming the company now knows how the Chinese threat actor accessed US government email accounts.
Two months ago, a Chinese hacking group known as Storm-0558 accessed more than two dozen Microsoft email accounts belonging to various organizations in the West, including several US government agencies.
Initial investigation showed that the hackers used a previously obtained Microsoft account (MSA) consumer key to forge tokens to access OWA and Outlook.com.
Correcting issues
What remained a mystery was how the hackers obtained that consumer key in the first place. Two months later, the Redmond giant’s in-depth investigation concluded, showing that the signing key was included in a consumer signing system crash dump, from April 2021.
“The crash dumps, which redact sensitive information, should not include the signing key,” Microsoft explained. “In this case, a race condition allowed the key to be present in the crash dump (this issue has been corrected). The key material’s presence in the crash dump was not detected by our systems (this issue has been corrected).”
The crash dump was then moved into the company’s debugging environment on the internet-connected corporate network. While this is consistent with the company’s standard debugging process, it made it possible for hackers to steal. In the months following the crash dump’s creation, a member of Storm-0558 obtained a Microsoft corporate account belonging to an engineer, and given that the account had access to the debugging environment, they managed to grab the crash dump from one of the endpoints.
“Due to log retention policies, we don’t have logs with specific evidence of this exfiltration by this actor, but this was the most probable mechanism by which the actor acquired the key,” Microsoft concluded.
At the time of the breach, Microsoft revoked all valid MSA signing keys, effectively shutting the hackers out.
More security news from TechRadar Pro
