A notorious Chinese cyber group, recognized as Storm-0558, has made an alarming breach in the email systems of a multitude of global institutions. Microsoft has confirmed that the target of the hackers was not limited to U.S. government bodies but extended to various Western European agencies.
The breach was not random or haphazard but the work of a highly focused group with an established agenda of cyber-espionage. Their primary goal revolves around extracting and exploiting confidential information, primarily through violating secure email systems.
Microsoft’s Efforts to Uncover Cyber Intrusions
Microsoft began its examination of these alarming cyber-attacks on June 16, 2023. This followed reports from clients regarding abnormal activity in their email accounts.
The tech giant identified that the threat actors from Storm-0558 commenced their operation on May 15, 2023. The victims of this intrusion were about 25 organizations, along with a few individual consumers. These consumer accounts, Microsoft suspects, are somehow linked to the organizations above.
Storm-0558 was Breaching Security Using Forged Authentication Tokens
To carry out their agenda, the hackers utilized authentication tokens, illegally crafted with a stolen Microsoft account (MSA) consumer signing key. The breachers managed to enter customer email accounts by falsifying these tokens.
Microsoft disclosed in a late Tuesday evening blog post, “Storm-0558 intruded customer email accounts by forging authentication tokens to access user email via Outlook Web Access in Exchange Online (OWA) and Outlook.com.”
“Utilizing a purloined MSA key, the hackers fabricated tokens to access OWA and Outlook.com. The MSA (consumer) and Azure AD (enterprise) keys, issued and managed from distinct systems, are specific to their respective systems. The hackers exploited a token validation loophole to impersonate Azure AD users, gaining access to enterprise mail,” the post added.
Mitigation Success with No Additional Unauthorized Access
In an encouraging update, Microsoft assure that there is no sign of any further unauthorize access post-mitigation.
U.S. Government Identifies Storm-0558 and Reports the Intrusion
U.S. government officials first spotted and reported the Microsoft cloud-based email services security breach. National Security Council spokesperson, Adam Hodge, confirmed this development to CNN.
Hodge remarked, “Last month, U.S. government safeguards detected an intrusion in Microsoft’s cloud security, affecting unclassified systems. Officials promptly contacted Microsoft to trace the source and vulnerability in their cloud service. We remain committed to maintaining a high-security standard for U.S. Government procurement providers.”
Russian-based Cybercriminal Group Targets NATO Summit Attendees
In another revealing update, Microsoft confirmed on Tuesday that the RomCom cybercriminal group based in Russia exploited an unpatched Office zero-day in a series of spear-phishing attacks. These attacks target organizations present at the NATO Summit in Vilnius, Lithuania.