Chinese hack of senior US officials came after the corporate account of a Microsoft engineer was compromised
Microsoft has identified how China-based hackers (dubbed Storm-0558) were able to compromise US government emails, including that of senior officials.
In a blog post on the matter, Microsoft revealed the results of a major technical investigation, after Storm-0558 used an acquired Microsoft account (MSA) consumer key to forge tokens to access OWA (Outlook Web Access) and Outlook.com.
Microsoft’s release of the investigation findings come after a US cybersecurity advisory panel said it would investigate risks in cloud computing, including Microsoft’s role in the breach of government officials’ email accounts by suspected Chinese hackers.
The US House of Representatives Oversight Committee, has also announced it is “investigating the recent cyber espionage campaigns which breached the Department of State and the Department of Commerce.”
The issue began in July when Microsoft and the White House confirmed that China-based hackers had compromised the email accounts belonging to a number of US government departments, as well as 25 unnamed organisations.
Microsoft at the time labelled the China-based threat actor Storm-0558, and said the attacks seemed to focused “on espionage, data theft, and credential access.”
The intrusion activity began in May and continued for roughly one month.
A number of other US government departments had also been compromised (including the US House of Representatives).
Indeed, it is alleged that Storm-0558 stole hundreds of thousands of emails from top American officials including Commerce Secretary Gina Raimondo, US Ambassador to China Nicholas Burns, and Assistant Secretary of State for East Asia Daniel Kritenbrink.
It is worth remembering that the US Commerce Secretary Raimondo has implemented a series of export control policies against China, curbing the transfer of semiconductors and other sensitive technologies to Beijing.
Engineer account compromise
In its blog post detailing its investigation findings, Microsoft said that it maintained a highly isolated and restricted production environment, but a system crash triggered a process that led to the hackers extracting a cryptographic key from an engineer’s account.
“Our investigation found that a consumer signing system crash in April of 2021 resulted in a snapshot of the crashed process (“crash dump”),” Redmond stated. “The crash dumps, which redact sensitive information, should not include the signing key. In this case, a race condition allowed the key to be present in the crash dump (this issue has been corrected). The key material’s presence in the crash dump was not detected by our systems (this issue has been corrected).”
“We found that this crash dump, believed at the time not to contain key material, was subsequently moved from the isolated production network into our debugging environment on the internet connected corporate network,” Microsoft said. “This is consistent with our standard debugging processes. Our credential scanning methods did not detect its presence (this issue has been corrected).”
“After April 2021, when the key was leaked to the corporate environment in the crash dump, the Storm-0558 actor was able to successfully compromise a Microsoft engineer’s corporate account,” said Microsoft. “This account had access to the debugging environment containing the crash dump which incorrectly contained the key. Due to log retention policies, we don’t have logs with specific evidence of this exfiltration by this actor, but this was the most probable mechanism by which the actor acquired the key.”
Microsoft said it has now hardened its systems and fixed the flaws that led to the key being accessible from the unidentified engineer’s account.
Beijing has previously described the allegation that it stole emails from top US officials as “groundless narratives.”