An “adversary based in China” that Microsoft has given the moniker “Storm-0558” has breached the email servers of “approximately” 25 U.S. organizations, including government agencies, Microsoft alerted the public in a July 11 blog post.
The most high profile target hit in the attack appears to be Secretary of State Gina Raimondo.
Microsoft attributes the hackers to neither the Chinese government nor the Chinese Communist Party, but calls actors behind a recent string of attacks associated with China “well-resourced adversaries” who “draw no distinction between trying to compromise business or personal accounts associated with targeted organizations.”
Although the report is new, the breaches were said to have occurred starting on May 15 with a Microsoft investigation only being launched on June 16 after customers reported a problem.
MORE ON THE CCP’S ADVANCED PERSISTENT THREAT TEAMS
- Chinese Hackers Pose as UN and Human Rights Entities to Attack Uyghurs
- Colonial Recovers Almost 64 BTC Thanks to DOJ, Still Loses $1.5 Million Thanks to China
- Critical US Power Grid Hardware Wide Open With Backdoors, Warns CISA
The root issue appears to have been a security vulnerability in Microsoft’s software that involved “using forged authentication tokens to access user email using an acquired Microsoft account (MSA) consumer signing key.”
Success
You are now signed up for our newsletter
Success
Check your email to complete sign up
A technical briefing on the exploit from the Microsoft Security Response Center states that both Outlook email servers and webmail servers were compromised in the attack using an exploit that allowed the attackers to impersonate the security credentials of legitimate Microsoft Azure users.
Outlook email and webmail was the only vector exploited, with the enterprise-class Azure system’s tokens not appearing to be compromised.
The company notes that it has partnered with the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency in its investigation of the attack.
Microsoft’s notice to the public on the attack is notably brief and sparse with details.
In a July 12 article on the hack, The Wall Street Journal stated, “The full scope and severity of the incident, and which institutions and individuals were hacked, couldn’t be learned” by the time of writing.
WSJ also said that the attack “prompted alarm among some officials and security researchers” and may not have been a trivial breach.
Unnamed sources were paraphrased as telling the outlet the attack is “being viewed as part of an espionage campaign that potentially compromised valuable information belonging to the U.S. government.”
“The incident was serious enough to trigger a recent briefing for congressional staff by the Biden administration,” the Journal added.
But reporting from The Washington Post cast the event in a much more serious light, alleging that Secretary of Commerce Gina Raimondo’s email account was compromised, along with unidentified email accounts at the Department of State.
The attacks “also targeted were the email accounts of a congressional staffer, a U.S. human rights advocate and U.S. think tanks,” the Post added based on comments from “officials and security professionals.”
The Post also stated that the client who reported the vulnerability in Microsoft’s bulletin was actually the federal government.
Adam Hodges, spokesperson for the National Security Council, was quoted in a statement to the outlet, “U.S. government safeguards identified an intrusion in Microsoft’s cloud security, which affected unclassified systems.”
“Officials immediately contacted Microsoft to find the source and vulnerability in their cloud service,” Hodges added.
Charles Carmakal, CTO of Mandiant, a branch of Google, told WSJ that the attack described is “very advanced,” adding, “When you use something like this on individuals, they are probably very high-value targets.”
Shobhit Gautam, a Solutions Architect at cybersecurity company HackerOne told hacking website HackRead that Storm-0558 is “speculated to be a state-sponsored actor” that is “also known to use custom malware such as Cigril and Bling for the purpose of espionage.”
In May, Microsoft warned that another group dubbed Volt Typhoon is “pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.”
Volt Typhoon is more notable in that it was directly defined as a “state-sponsored actor based in China that typically focuses on espionage and information gathering” by Microsoft.
The group’s modus operandi is similar to the one used by Storm-0558 in that it relied on spoofing and acquiring legitimate credentials, but was distinct in that human operators would collect data from its targets, routing it back through a series of botnets and compromised devices, such as home routers.
Critical industries such as IT, construction, transportation, and also government entities were targeted by Volt Typhoon in a campaign operating between the United States and Guam that had been running since at least 2021, Microsoft said at the time.
Geopolitical tensions between Mainland China and the International Rules Based Order have become more acute in the first and second quarters of 2023 as globalist policy now operates under a mandate to “de-risk” but not “decouple” from China.
While political brinkmanship between China and the U.S. may not have the same grim nuclear tone that diplomatic warfare does between Washington and the Kremlin following the Ukraine War, the reigning Communist Party has demonstrated it has teeth in cyberspace when it isn’t getting its way.
In May, Reuters broke a story that the CCP had launched wide-scale cyberattacks against the Kenyan government starting in 2019 after the country fell behind on debt payments incurred after signing into China’s Belt and Road development scheme.
Reuters reports were based on documents it viewed from an unidentified defense contractor, which had “assessed the hacks to be aimed, at least in part, at gaining information on debt owed to Beijing.”
An analyst Reuters spoke with said China’s hackers had spent three years compromising eight different ministries and government departments, including “Kenya’s main spy agency.”
A spokesperson for China’s Foreign Ministry called the Storm-0558 allegations a “collective disinformation campaign of the Five Eyes coalition countries, initiated by the US for its geopolitical purposes.”
The story was not covered by South China Morning Post, an English-language outlet friendly to the Chinese government’s interests, beyond the republication of an AFP wire release on the news.
