Microsoft's Security Response Center (MSRC) has published a report that provides a detailed account of the Storm-0558 key acquisition incident.
Microsoft Azure has faced challenges from the China-based threat actor, Storm-0558. Concerns have risen about the platform's security due to the group's ability to exploit vulnerabilities in Microsoft's email security service.
In July, Microsoft Security exposed a massive cyberattack by a Chinese group that hacked into the email accounts of dozens of U.S. government agencies and other organizations. Hackers exploited a flaw in its email security service to access the email accounts of about 25 organizations, including government agencies, think tanks, law firms, and NGOs. The hackers also targeted the personal accounts of some individuals associated with these organizations.
New Findings from Microsoft
Microsoft Security's latest report shows that a consumer signing system crash in April 2021 led to the unintended inclusion of a signing key in a “crash dump”. The key was then transferred from a secure production environment to Microsoft's debugging environment on its corporate network. Hackers have since exploited this key to access a Microsoft engineer's corporate account.
Microsoft Security disclosed the cyberattack previously and explained how the hacking group targeted email accounts of numerous U.S. government agencies and other entities. Microsoft identified the group as acting on behalf of the Chinese government for espionage purposes. The tech company has been actively working with affected customers, providing notifications and assistance. They also released a patch to address the vulnerability and have been urging customers to apply it promptly.
Security Measures and Past Incidents
Microsoft has implemented rigorous controls in their production environment. These measures encompass background checks, dedicated accounts, and multi-factor authentication using hardware token devices. However, a flaw introduced in 2018 allowed the mail system to process enterprise email requests using a token signed with the consumer key.
In response to the incident, Microsoft has taken corrective actions. These include addressing the race condition and enhancing detection mechanisms. They've also introduced enhanced libraries. Yet, public figures like Senator Wyden have criticized Microsoft for their handling of such incidents.
Chinese authorities have refuted any involvement in these cyberattacks. They have accused U.S. cybersecurity firms of fabricating evidence and colluding with the U.S. government to defame China. This denial comes in the backdrop of a timeline that saw Chinese hackers target email accounts of organizations in sectors like defense, energy, and finance from May 2023. Microsoft discovered the attack in June and subsequently published a security advisory in July.
Storm-0558's Previous Engagements
Reports have shown that Storm-0558 has a history of hacking into email accounts of several U.S. government agencies and organizations. Their strategy often revolves around leveraging flaws in Microsoft's email security service. They have accessed email accounts of diverse organizations, from government agencies to law firms. U.S. Senator Ron Wyden has voiced concerns, suggesting Microsoft's security practices might have unintentionally made these breaches possible.
Wyden called on the Department of Justice (DOJ), the Federal Trade Commission (FTC), and the Cybersecurity and Infrastructure Security Agency (CISA) to investigate the recent hack of Microsoft email accounts. Wyden's concerns stem from a hacking campaign that targeted Microsoft customers, including government agencies. In a detailed letter, Wyden questioned Microsoft's role in the breach, especially ahead of a diplomatic trip to China by key US officials. He emphasized that “Government emails were stolen because Microsoft committed another error” and urged CISA to investigate Microsoft's practices.