A Chinese-state advanced persistent threat (APT) actor tracked as Storm-0558 hacked into email accounts at multiple government agencies, and was able to lay low for over a month until being discovered and kicked out by Microsoft, it has been revealed.
In a disclosure notice published on Tuesday 11 July to coincide with its monthly round of security updates, Microsoft revealed details of an investigation it undertook based on customer reporting, beginning on 16 June.
It found that beginning on 15 May, Storm-0558 accessed email data across 25 different organisations, and a smaller number of related personal email accounts from people associated with said organisations, using forged authentication tokens via an acquired Microsoft account consumer signing key.
Microsoft Security executive vice-president Charlie Bell said: “We assess this adversary [Storm-0558] is focused on espionage, such as gaining access to email systems for intelligence collection. This type of espionage-motivated adversary seeks to abuse credentials and gain access to data residing in sensitive systems.
“Microsoft’s real-time investigation and collaboration with customers let us apply protections in the Microsoft Cloud to protect our customers from Storm-0558’s intrusion attempts,” he said. “We’ve mitigated the attack and have contacted impacted customers. We’ve also been partnering with relevant government agencies like DHS CISA. We’re thankful they and others are working with us to help protect affected customers and address the issue. We’re grateful to our community for a swift, strong and coordinated response.
“The accountability starts right here at Microsoft,” said Bell. “We remain steadfast in our commitment to keep our customers safe. We are continually self-evaluating, learning from incidents, and hardening our identity/access platforms to manage evolving risks around keys and tokens.”
Token validation issue
HackerOne EMEA solutions architect Shobhit Gautam explained that the root cause of the intrusion was most likely a token validation issue.
“[This] was exploited by the actors to impersonate Azure Active Directory [AD] users and gain access to enterprise mail,” he said. “Since the MSA key and Azure AD keys are generated and managed separately, the issue would lie in the validation logic.
“For a successful exploitation, an attacker would need to gather information specific to the target – MSA Consumer Keys – and so would be fairly complicated to exploit. However, once in, the attacker would be able to have significant impact due to the ubiquity of the software,” said Gautam. “Exploiting vulnerabilities in the supplier network has become a key tactic in the attacker’s playbook.
“The best way to identify complex vulnerability risk is to take an outsider’s mindset that looks at how an attacker might make use of a variety of weaknesses to chain together to have a far more powerful impact. Government has been quick on the update of harnessing human intelligence to secure their defences.”
Mandiant chief analyst John Hultquist said: “Chinese cyber espionage has come a long way from the smash-and-grab tactics many of us are familiar with. They have transformed their capability from one that was dominated by broad, loud campaigns that were far easier to detect. They were brash before, but now they are clearly focused on stealth.
“Rather than manipulating unsuspecting victims into opening malicious files or links, these actors are innovating and designing new methods that are already challenging us. They are leading their peers in the deployment of zero-days and they have carved out a niche by targeting security devices specifically.
“They’ve even transformed their infrastructure – the way they connect to targeted systems,” he said. “There was a time when they would come through a simple proxy or even directly from China, but now they are connecting through elaborate, ephemeral proxy networks of compromised systems. It’s not uncommon for a Chinese cyber espionage intrusion to traverse a random home router. The result is an adversary much harder to track and detect.
“The reality is that we are facing a more sophisticated adversary than ever, and we’ll have to work much harder to keep up with them.”
This is the second time in a little under two months that Microsoft has gone public with accusations of coordinated cyber espionage campaigns by the Chinese state.
Towards the end of May, in collaboration with the UK’s National Cyber Security Centre and its counterparts in Australia, Canada, New Zealand and the US, it highlighted the nefarious activities of an APT actor dubbed Volt Typhoon, which targeted operators of critical national infrastructure, including sites on Guam, a Pacific island territory of the US that would be of immense military value in any Western response to a hypothetical Chinese invasion of Taiwan.
The Chinese government accused Microsoft and its government partners of being “extremely unprofessional” in response.