Cybersecurity

Microsoft says it has fixed mistakes that led to massive breach of US government inboxes

While a compromised engineer account was the access vector, a string of other errors enabled the attack.
article cover

Francis Scialabba

· 3 min read

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

A compromised Microsoft corporate account was likely the access point through which allegedly Chinese government-backed hackers were able to stage an attack on US government inboxes, the company revealed in a recent blog post.

Microsoft Security Response Center (MSRC) team members wrote that their investigation into the attack by the threat actor, which they call Storm-0558, showed the attackers gained initial access to Microsoft systems via an engineer’s email account. However, it took a series of previous errors for the hackers to actually obtain a Microsoft signing key that they could use to forge Outlook email authentication tokens for dozens of organizations, including the Departments of State and Commerce.

The MSRC team said it found that a Microsoft consumer key signing system crashed in April 2021, producing a system snapshot (a crash dump) for later analysis. Unknown to anyone, however, the snapshot included a copy of the signing key that automated systems repeatedly failed to detect.

The snapshot was then moved from a secure system to a debugging environment on Microsoft’s regular corporate network—a normal process which wouldn’t be a problem, according to MSRC, if there wasn’t a consumer signing key left inside it. The hackers were almost certainly able to scoop up the keys to Outlook from the engineer’s account there. From the blog post:

This account had access to the debugging environment containing the crash dump which incorrectly contained the key. Due to log retention policies, we don’t have logs with specific evidence of this exfiltration by this actor, but this was the most probable mechanism by which the actor acquired the key.

Attackers were able to use the stolen consumer key to access enterprise systems because when developing “common key metadata publishing” designed to allow support software to work across both types of email systems, engineers “incorrectly assumed” certain libraries were properly validating keys.

The result, according to MSRC, was that hackers could use the consumer key to forge security tokens which enabled access to enterprise systems. Storm-0558 reportedly retained its ill-gotten access for around a month.

As TechCrunch reported, the MRSC investigation still leaves open the question of how Storm-0558 gained access to Microsoft’s corporate network in the first place. Carley Petersen Hibbard, a spokesperson for Microsoft, told IT Brew “the account was compromised using token-stealing malware,” without elaborating further.

MSRC wrote that Microsoft has since resolved the issues identified during the investigation.

According to CNN, while the State Department complained about the incident to their counterparts from China, at least one senior US government official has admitted Microsoft was fair game in terms of espionage tactics.

“That’s what nation-states do,” Rob Joyce, director of cybersecurity at the National Security Agency, told CNN in July. “We have to defend against it, we need to push back against it. But that is something that happens.”

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.