US Government Emails Stolen as Hackers Breach Microsoft Outlook

Hackers breached Microsoft Outlook email accounts linked to government agencies in the US and Western Europe, according to government officials and Microsoft Corp., which described the attackers as being based in China.

(Bloomberg) — Hackers breached Microsoft Outlook email accounts linked to government agencies in the US and Western Europe, according to government officials and Microsoft Corp., which described the attackers as being based in China.

Last month, the US State Department identified anomalous activity and alerted Microsoft to the attack, according to a spokesperson. A subsequent investigation by Microsoft determined that the hackers accessed and exfiltrated unclassified Exchange Online Outlook data from a small number of accounts,” according to a statement from the US Cybersecurity and Infrastructure Security Agency, known as CISA.

In an interview with ABC News Wednesday morning, National Security Advisor Jake Sullivan said, “We detected it fairly rapidly, and we were able to prevent further breaches. The matter is still being investigated.”

In a blog post published Tuesday night, Microsoft described the group behind the attack as China-based and named them Storm-0558. The hackers were able to remain undetected for a month after gaining access to email data from around 25 organizations in mid-May.

“We assess this adversary is focused on espionage, such as gaining access to email systems for intelligence collection,” Charlie Bell, an executive vice president at Microsoft, wrote in another post.

Beside the State Department, it wasn’t known which other US agencies were impacted by the breach. A senior official said the number of agencies was in the single digits.

It also wasn’t clear which European governments were affected. Italian cybersecurity officials said they were in contact with Microsoft “in order to identify potential Italian subjects involved in the latest attacks.”

Asked about the findings, China’s foreign ministry spokesman Wang Wenbin, at a regular briefing on Wednesday, accused the US of being the world’s largest cyberattacker.

US officials described the attacks as targeted and focused on a small number of accounts at the agencies that were breached, as opposed to hack seeking to steal large amounts of data. CISA and the FBI issued a joint advisory urging organizations to harden their Microsoft 365 cloud environments.

The hacking campaign got underway in the weeks before Secretary of State Antony Blinken arrived in Beijing to meet with top officials, including Chinese President Xi Jinping. 

A key remaining question is how the hackers were able to pull of the breach.

The hackers used “forged authentication tokens to access user email using an acquired Microsoft account (MSA) consumer signing key,” Microsoft’s Bell said in his post. The hackers were then able to access Outlook email hosted on systems run and operated by Microsoft.

But how hackers obtained the signing key that gave them access to these emails remains unknown.

“The big question here really is where did they get the MSA-key to sign tokens,” said Sami Laiho, a computer security expert who specializes in Microsoft products. One possible explanation, Laiho said, is if Microsoft itself was breached.

Microsoft didn’t immediately respond to a request for comment about how hackers obtained the signing key.

The senior official used the news of the breach to highlight a source of tension between Microsoft and the US government: logging. Logs allow cybersecurity investigators to dig through digital clues left behind on their own systems to figure out if they’ve been hacked and who may be responsible.

More advanced logging can capture and record granular actions made by a user, like if a certain email was accessed. 

At issue is whether Microsoft should sell logging as a premium add-on for government customers or include it in its product for free.

A lack of logging complicated the investigation into the so-called SolarWinds attack, which was disclosed in 2020. In that episode, Russian state-sponsored hackers installed a malicious update in software made by SolarWinds Corp., which installed a digital backdoor which they could then use to further infiltrate SolarWinds customers. Ultimately, nine US agencies about 100 companies were breached via the SolarWinds update and other methods.

Microsoft offered its premium logging feature for free for about a year in the wake of the SolarWinds hack. CISA and others have said that logs should be free, maintaining that they are crucial for detecting and investigating security incidents.

On Wednesday, the senior officials said some of the affected US agencies paid for a premium logging feature and were able to detect the breach on their own. Microsoft, which retains the logs, was able to identify others who were hacked but don’t pay for logging.

Requiring organizations to pay for better logging is a recipe for inadequate visibility into what has occurred in networks, the official said, adding that the issue requires urgent attention.

 

–With assistance from James Mayger, Justin Sink, Iain Marlow, Flavia Rotondi and Katrina Manson.

(Updates with write through of entire story)

More stories like this are available on bloomberg.com

©2023 Bloomberg L.P.