Microsoft Account Compromise Led To Chinese Hack Of US Officials

Microsoft has identified how China-based hackers (dubbed Storm-0558) were able to compromise US government emails, including that of senior officials.

In a blog post on the matter, Microsoft revealed the results of a major technical investigation, after Storm-0558 used an acquired Microsoft account (MSA) consumer key to forge tokens to access OWA (Outlook Web Access) and Outlook.com.

Microsoft’s release of the investigation findings come after a US cybersecurity advisory panel said it would investigate risks in cloud computing, including Microsoft’s role in the breach of government officials’ email accounts by suspected Chinese hackers.

Image credit: US House of Representatives

Storm-0558 hack

The US House of Representatives Oversight Committee, has also announced it is “investigating the recent cyber espionage campaigns which breached the Department of State and the Department of Commerce.”

The issue began in July when Microsoft and the White House confirmed that China-based hackers had compromised the email accounts belonging to a number of US government departments, as well as 25 unnamed organisations.

Microsoft at the time labelled the China-based threat actor Storm-0558, and said the attacks seemed to focused “on espionage, data theft, and credential access.”

The intrusion activity began in May and continued for roughly one month.

A number of other US government departments had also been compromised (including the US House of Representatives).

Indeed, it is alleged that Storm-0558 stole hundreds of thousands of emails from top American officials including Commerce Secretary Gina Raimondo, US Ambassador to China Nicholas Burns, and Assistant Secretary of State for East Asia Daniel Kritenbrink.

It is worth remembering that the US Commerce Secretary Raimondo has implemented a series of export control policies against China, curbing the transfer of semiconductors and other sensitive technologies to Beijing.

Engineer account compromise

In its blog post detailing its investigation findings, Microsoft said that it maintained a highly isolated and restricted production environment, but a system crash triggered a process that led to the hackers extracting a cryptographic key from an engineer’s account.

“Our investigation found that a consumer signing system crash in April of 2021 resulted in a snapshot of the crashed process (“crash dump”),” Redmond stated. “The crash dumps, which redact sensitive information, should not include the signing key. In this case, a race condition allowed the key to be present in the crash dump (this issue has been corrected). The key material’s presence in the crash dump was not detected by our systems (this issue has been corrected).”

“We found that this crash dump, believed at the time not to contain key material, was subsequently moved from the isolated production network into our debugging environment on the internet connected corporate network,” Microsoft said. “This is consistent with our standard debugging processes. Our credential scanning methods did not detect its presence (this issue has been corrected).”

“After April 2021, when the key was leaked to the corporate environment in the crash dump, the Storm-0558 actor was able to successfully compromise a Microsoft engineer’s corporate account,” said Microsoft. “This account had access to the debugging environment containing the crash dump which incorrectly contained the key. Due to log retention policies, we don’t have logs with specific evidence of this exfiltration by this actor, but this was the most probable mechanism by which the actor acquired the key.”

Microsoft said it has now hardened its systems and fixed the flaws that led to the key being accessible from the unidentified engineer’s account.

Beijing has previously described the allegation that it stole emails from top US officials as “groundless narratives.”

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Microsoft Xbox Marketing Chief Leaves For Roblox

Microsoft loses Xbox marketing chief amidst executive changes in company's gaming division, broader layoffs and…

10 hours ago

YouTube Test Community ‘Notes’ Feature For Added Context

YouTube begins testing Notes feature that allows selected users to add contextual information to videos,…

10 hours ago

FTC Sues Adobe Over Hidden Fees, Termination ‘Resistance’

US regulator sues Photoshop maker Adobe over large, hidden termination fees, intentionally difficult cancellation process

11 hours ago

Tencent To Ban AI Avatars From Livestream Commerce

Chinese tech giant Tencent to ban AI hosts from livestream video platform as it looks…

11 hours ago

TikTok US Ban Appeal Gets 16 September Court Date

Action by TikTok, ByteDance and creators against US ban law gets 16 September hearing date,…

12 hours ago

US Surgeon General Calls For Warning Labels On Social Media

US surgeon general calls for cigarette-style warning labels to be shown on social media advising…

13 hours ago