(CTN News) –Microsoft’s efforts, China-backed hackers managed to stealthily break into dozens of emails, including those of federal government agencies, using a key they stole from Microsoft.
According to a blog post Friday, Microsoft is still investigating how the hackers obtained a signing key that was abused to create authentication tokens that gave them access to inboxes as if they were the rightful owners.
According to reports, targets include Commerce Secretary Gina Raimondo, U.S. State Department officials, and other organizations.
According to Microsoft, the month-long activity was linked to a newly discovered espionage group called Storm-0558, with ties to China.
According to U.S. cybersecurity agency CISA, the hacks began in mid-May and affected only a small number of government accounts. Despite the fact that the U.S. government hasn’t publicly attributed the hacks, China’s top foreign ministry spokesperson has denied the allegations.
This hacking group targeted new and undisclosed vulnerabilities in Microsoft’s cloud, rather than using previously unknown vulnerabilities to hack into Microsoft-powered email servers to steal corporate data.
A consumer signing key, or MSA key, which uses to protect consumer email accounts, such as Outlook.com, was acquired by hackers, according to its blog post. Initially, Microsoft believed the hackers were forging authentication tokens with an acquired enterprise signing key, which secures corporate and enterprise email accounts.
This consumer MSA key was used by hackers to forged tokens that allowed them to break into enterprise inboxes. “Validation errors” were found in code, according to the company.
Microsoft said it has blocked “all actor activity” related to this incident, indicating that the hackers no longer have access.
In an effort to prevent hackers from churning out another digital skeleton key, Microsoft has hardened its key issuance systems, though it’s not clear how the company lost control of its own keys.
Hackers made a crucial mistake. By using the same key to raid several inboxes, Microsoft said investigators could see “all actor access requests which followed this pattern across both our enterprise and consumer systems.” To wit, knows who was compromised and said it notified those affected.
Microsoft now faces scrutiny for the way it handled the incident, thought to be the biggest breach of unclassified government data since the Russian espionage campaign that hacked SolarWinds in 2020.
Ars Technica’s Dan Goodin notes that avoided terms like “zero-day” in its blog post, which refers to a software maker having zero days to fix a vulnerability that has already been exploited.
Whether or not the bug or its exploitation fits everyone’s definition of a zero-day, avoided describing it as such, or even calling it a vulnerability.
The government departments themselves did not have visibility into the intrusions that led to the key leak and its misuse. Furthermore, Microsoft is under fire for reserving security logs for government accounts in its top-tier package, which may have aided other incident responders in identifying malicious activities.