A Chinese espionage group known as Storm-0558 has been found to have gained unauthorized access to Microsoft’s cloud-based Outlook Web Access in Exchange Online (OWA) and Outlook.com unclassified email service. This targeted campaign affected 25 organizations and lasted for approximately one month from May 15, 2023. The breach was discovered after the US State Department detected the espionage campaign in June, which coincided with Secretary of State Antony Blinken’s visit to China.
The hackers were able to access email data by using forged authentication tokens obtained through a Microsoft account signing key. It is unclear whether Microsoft itself experienced a breach. However, the software giant took immediate action to mitigate the attack for all customers without requiring any action on their part. Microsoft implemented substantial automated detections for known indicators of compromise associated with this attack to strengthen defenses and customer environments.
Although Microsoft has attributed the campaign to China, the US government has refrained from making any specific attributions. A senior FBI official stated that the sophistication of the attack, which allowed the actors to access mailbox content, is indicative of Advanced Persistent Threat (APT) activity. However, the government is not currently prepared to discuss attribution at a more specific level.
The Chinese threat actors also gained unauthorized access to emails at the Commerce Department, including Secretary Gina Raimondo’s email account. The Commerce Department has been actively involved in restricting US technology exports to China due to the country’s extensive surveillance activities and military modernization efforts.
While the government has not disclosed the agencies or the number of affected accounts, a senior Cybersecurity and Infrastructure Security Agency (CISA) official revealed that the number of US organizations impacted is in the single digits, and the number of affected accounts for each organization is relatively small. This suggests that the campaign was highly targeted and surgical in nature, unlike previous widespread campaigns such as the SolarWinds supply chain attack.
The discovery of this campaign was made possible, in part, by audit logging. Microsoft’s audit logs played a crucial role in identifying the unauthorized access and alerting the appropriate authorities. After Microsoft’s announcement, CISA and the FBI released a joint Cybersecurity Advisory (CSA) called “Enhanced Monitoring to Detect APT Activity Targeting Outlook Online.” This advisory provides guidance to agencies and critical infrastructure organizations on enhancing monitoring in Microsoft Exchange Online environments to detect APT activity.
In conclusion, a Chinese espionage actor known as Storm-0558 gained access to Microsoft’s cloud-based email services for a month-long targeted campaign. The US government has refrained from publicly attributing the attack to China, but Microsoft has taken steps to mitigate the breach and enhance the security of its services. The discovery of the campaign relied on audit logging, and CISA and the FBI have issued a joint advisory to help organizations enhance monitoring to detect similar APT activity.