A Chinese hacking group has breached the email accounts of more than two dozen organizations worldwide, including U.S. and Western European government agencies, according to Microsoft.
The attacks have been pinned on a threat group tracked as Storm-0558, believed to be a cyber-espionage outfit focused on collecting sensitive information by breaching email systems.
Microsoft started investigating these attacks on June 16, 2023, following customer reports regarding unusual mail activity.
The company discovered that starting from May 15, 2023, Storm-0558 threat actors managed to access Outlook accounts belonging to roughly 25 organizations and some consumer accounts likely connected to these organizations.
However, Microsoft did not share what organizations, government agencies, or countries were affected in these email breaches.
To do that, the attackers used authentication tokens forged with the help of a stolen Microsoft account (MSA) consumer signing key.
“Microsoft investigations determined that Storm-0558 gained access to customer email accounts using Outlook Web Access in Exchange Online (OWA) and Outlook.com by forging authentication tokens to access user email,” Microsoft said in a blog post published late Tuesday evening.
“The actor used an acquired MSA key to forge tokens to access OWA and Outlook.com. MSA (consumer) keys and Azure AD (enterprise) keys are issued and managed from separate systems and should only be valid for their respective systems. The actor exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail.”
Microsoft added that it found no evidence indicating any additional unauthorized access after it “completed mitigation of this attack.”
Discovered and reported by the U.S. government
The incident was reported to Microsoft by U.S. government officials last month after the discovery of unauthorized access to Microsoft cloud-based email services.
This was confirmed by National Security Council spokesperson Adam Hodge in a statement shared with CNN.
“Last month, US government safeguards identified an intrusion in Microsoft’s cloud security, which affected unclassified systems,” Hodge told CNN.
“Officials immediately contacted Microsoft to find the source and vulnerability in their cloud service. We continue to hold the procurement providers of the US Government to a high security threshold.”
On Tuesday, Microsoft also revealed that the RomCom Russian-based cybercriminal group exploited an unpatched Office zero-day in recent spear-phishing attacks targeting organizations attending the NATO Summit in Vilnius, Lithuania.
