China-Based Hackers Breached US Govt Email Accounts

Microsoft and US officials have confirmed that China-based hackers were detected after having compromised Exchange email accounts belonging to the US government.

Besides breaching some United States government agencies, the hackers also apparently breached email accounts at two-dozen organisations.

Microsoft Exchange accounts have been compromised before by Chinese hackers. In 2021 Microsoft and other security experts identified a state-sponsored hacking group called Hafnium, operating out of mainland China, being responsible for hacking “primarily target entities in the United States.”

Storm-0558 hackers

The White House in March 2021 said it was “concerned” over the potentially large number of organisations affected by four zero-day flaws in Microsoft Exchange, compromised by Chinese hackers.

Days after that the UK’s National Cyber Security Centre (NCSC) said it had to warn 2,300 UK businesses that their systems had been hacked as part of a free-for-all making use of the Exchange vulnerabilities.

In Europe, the Norwegian parliament and the European Banking Authority both said they had been breached.

Now over two years later China-based hackers have struck again.

Microsoft’s executive VP of Security, Charlie Bell, blogged that Redmond is “publishing details of activity by a China-based actor Microsoft is tracking as Storm-0558 that gained access to email accounts affecting approximately 25 organisations including government agencies as well as related consumer accounts of individuals likely associated with these organisations.”

Bell wrote that Microsoft has been working with the impacted customers and notifying them prior to going public with further details.

“At this stage – and in coordination with customers – we are sharing the details of the incident and threat actor to benefit the industry,” wrote Bell.

“The threat actor Microsoft links to this incident is an adversary based in China that Microsoft calls Storm-0558,” wrote Bell. “We assess this adversary is focused on espionage, such as gaining access to email systems for intelligence collection. This type of espionage-motivated adversary seeks to abuse credentials and gain access to data residing in sensitive systems.”

He wrote that on 16 June, Microsoft began investigating “anomalous mail activity” after receiving “customer reported information.”

“Over the next few weeks, our investigation revealed that beginning on 15 May 2023, Storm-0558 gained access to email data from approximately 25 organisations, and a small number of related consumer accounts of individuals likely associated with these organisations,” wrote Bell.

“They did this by using forged authentication tokens to access user email using an acquired Microsoft account (MSA) consumer signing key. Microsoft has completed mitigation of this attack for all customers.”

He added that Microsoft has added substantial automated detections for known indicators of compromise associated with this attack to harden defences and customer environments, and it had found no evidence of further access.

US, Western Europe

Microsoft in another blog post warned that Storm-0558 had targeted customer emails, and it found that “Storm-0558 primarily targets government agencies in Western Europe and focuses on espionage, data theft, and credential access.”

CNN meanwhile reported that the US federal agency where Chinese hackers were first detected was the US State Department.

The State Department then reported the suspicious activity to Microsoft, a person told CNN.

This was confirmed by White House National Security Council spokesman Adam Hodge.

“Last month, US government safeguards identified an intrusion in Microsoft’s cloud security, which affected unclassified systems,” Hodge said in a statement to CNN.

“Officials immediately contacted Microsoft to find the source and vulnerability in their cloud service,” Hodge said. “We continue to hold the procurement providers of the US Government to a high security threshold.”

Hodge did not identify who was behind the hack, but Microsoft has publicly stated the hackers were based in China and focused on espionage.

There is still an “ongoing, active investigation” in the US government to understand the full scope of the hack, a source familiar with the matter told CNN.

Expert take

Meanwhile security experts have warned of a surge of hacking attacks from China.

“Unfortunately, Microsoft’s findings aren’t surprising, and this won’t be the last news-making story of this nature,” said Dan Schiappa, chief product officer at Arctic Wolf. “In the security community, we’ve been warning of a surge in Chinese state-sponsored activity for a while now, as both the domestic and geopolitical tensions with China continue to rise.”

“Chinese threat activity is not financially motivated, it is focused on spycraft, which lends itself to long-term, undetected attacks,” said Schiappa. “It’s important to look at the big picture of this incident, with the backdrop of the current technology race between China and the US, particularly with the rise of AI. It’s critical that research, development, and government data are protected from prying eyes, as AI becomes the new battlefield for the tech cold war.”

“Although the average American business should likely be more concerned about financially motivated ransomware gangs like Clop, it’s important to remember the ever-present issue of supply chain attacks, and these more long-term plays from China,” said Schiappa.

“For businesses with any government contracts or relationships with those that are involved with bleeding-edge technology research or military-grade operations, an unassuming third party vendor could be the vehicle of intrusion and intelligence gathering,” Schiappa warned.

“Patching even the smallest vulnerability and enforcing a culture of security across all users, particularly as forged authentication tokens and stolen credentials run rampant on the dark web, can be the difference between an incident and a close call,” Schiappa concluded.

Stealthy hackers

Meanwhile John Hultquist, chief analyst at Mandiant (now part of Google Cloud) believes that Chinese threat actors have become more sophisticated in their approach, focusing more on stealth than “smash and grab” tactics which has made them much harder to track and detect.

“Chinese cyber espionage has come a long way from the smash-and-grab tactics many of us are familiar with,” said Hultquist. “They have transformed their capability from one that was dominated by broad, loud campaigns that were far easier to detect. They were brash before, but now they are clearly focused on stealth.”

“Rather than manipulating unsuspecting victims into opening malicious files or links, these actors are innovating and designing new methods that are already challenging us,” said Hultquist. “They are leading their peers in the deployment of zero-days and they have carved out a niche by targeting security devices specifically.”

“They’ve even transformed their infrastructure – the way they connect to targeted systems,” said Hultquist. “There was a time when they would come through a simple proxy or even directly from China, but now they are connecting through elaborate, ephemeral proxy networks of compromised systems. It’s not uncommon for a Chinese cyber espionage intrusion to traverse a random home router. The result is an adversary much harder to track and detect.”

“The reality is that we are facing a more sophisticated adversary than ever, and we’ll have to work much harder to keep up with them,” Hultquist concluded.