China-based hackers breach US government email accounts using Microsoft cloud flaw
A group of hackers from China exploited a vulnerability in Microsoft‘s cloud email service to access the email accounts of US government employees, including Commerce Secretary Gina Raimondo and State Department officials, Microsoft and the US government confirmed on Tuesday.
The hacking group, dubbed Storm-0558 by Microsoft, compromised about 25 email accounts belonging to government agencies and related consumer accounts linked to individuals associated with these organizations, according to a blog post by Microsoft. The company said the hackers used a forged authentication token to access Outlook Web Access (OWA) and Outlook.com, and then impersonated Azure AD users to gain access to enterprise email accounts.
Microsoft said it detected the attack on June 16, after being alerted by the State Department, which was the first to discover the breach. The company said it has since fixed the vulnerability and that Storm-0558 no longer has access to the compromised accounts. However, it did not disclose whether any sensitive data was stolen by the hackers.
The Commerce Department and the State Department confirmed that their systems were affected by the breach, but did not provide details on the extent of the damage or the nature of the information that may have been exposed. Raimondo is the only known Cabinet-level official to have her account hacked in this campaign, according to The Washington Post.
Adam Hodge, a spokesperson for the White House’s National Security Council, told TechCrunch that US government agencies were affected by the breach, which only impacted unclassified systems. “Last month, U.S. government safeguards identified an intrusion in Microsoft’s cloud security, which affected unclassified systems,” Hodge said. “Officials immediately contacted Microsoft to find the source and vulnerability in their cloud service. We continue to hold the procurement providers of the U.S. Government to a high security threshold.”
Microsoft attributed the attack to Storm-0558, a China-based actor that it described as a “well-resourced” adversary that is focused on espionage and intelligence collection. The company said this type of espionage-motivated adversary seeks to abuse credentials and gain access to data residing in sensitive systems.
This is not the first time that Chinese hackers have targeted US government entities using Microsoft products. In March, Microsoft disclosed that a state-sponsored hacking group known as Hafnium exploited four zero-day vulnerabilities in its Exchange Server software to compromise tens of thousands of organizations around the world, including US federal agencies and local governments.