A Chinese threat actor known as “Storm-0558” recently conducted a cyberespionage campaign targeting email accounts across 25 government agencies in Western Europe and the United States, including the State Department. Microsoft, the technology giant, successfully mitigated the campaign and announced its accomplishment on July 11.
Storm-0558 has its base in China and primarily focuses on espionage activities against Western government organizations. In this particular campaign, the hackers specifically targeted a small number of officials’ email accounts at each agency. The extent of the sensitive information accessed by the attackers remains unclear.
Microsoft’s detailed profile of Storm-0558 reveals that the threat actor is known for its use of two custom malwares: Bling and Cigril. Cigril, a Trojan, encrypts files and runs them directly from system memory to avoid detection. Additionally, the group was able to forge authentication tokens to impersonate authorized Azure Active Directory (AD) users, granting them access to enterprise email accounts and potentially sensitive information.
The sophistication of Chinese cyber espionage has evolved significantly. “Chinese cyber espionage has come a long way from the smash-and-grab tactics many of us are familiar with,” stated John Hultquist, Mandiant chief analyst with Google Cloud. He further added, “They have transformed their capability from one that was dominated by broad, loud campaigns that were far easier to detect. They were brash before, but now they are clearly focused on stealth.”
Microsoft became aware of the anomalous mail activity associated with the campaign on June 16. Upon further investigation, it was revealed that the cyber espionage had been ongoing since at least May 15. The attackers used stolen Managed Service Account (MSA) consumer signing keys and exploited a validation issue to create forged authentication tokens. This allowed them to impersonate legitimate Azure AD users and access email accounts using Outlook.com and the Outlook Web Access client in Exchange Online.
Microsoft has since resolved the MSA key issue, effectively blocking any future threat actor activity. The attack affected a total of 25 government agencies primarily located in Western Europe, as well as personal accounts linked to those agencies. Charlie Bell, executive vice president of Microsoft Security, emphasized that the threat actors do not differentiate between compromising business or personal accounts associated with targeted organizations. Bell remarked, “These well-resourced adversaries draw no distinction between trying to compromise business or personal accounts associated with targeted organizations since it only takes one successfully compromised account login to gain persistent access, exfiltrate information, and achieve espionage objectives.”
All known victims have been notified by Microsoft, and no further action is required from customers. This cyberespionage campaign showcases the evolving tradecraft of Chinese threat actors. “The reality is that we are facing a more sophisticated adversary than ever, and we’ll have to work much harder to keep up with them,” warned John Hultquist.
When approached for comment, Microsoft declined to provide a statement. It is crucial for government agencies and organizations to remain vigilant, continuously enhancing their cybersecurity measures to counter the ever-evolving tactics employed by threat actors.