A sophisticated Chinese cyber-espionage campaign targeting Microsoft Outlook accounts gave Beijing access to tens of thousands of private US government emails, according to a new report.
The Storm-0558 group was able to steal 60,000 emails from 10 State Department accounts, nine of which were used by individuals working on East Asia and Pacific diplomacy, a Senate staffer told Reuters.
The hackers were also able to get hold of a list containing all of the department’s email accounts, according to a State Department briefing on Wednesday which the staffer had access to.
“We need to take a hard look at the federal government’s reliance on a single vendor as a potential weak point,” senator Eric Schmitt argued in an emailed statement sent to Reuters.
Read more on Storm-0558: Chinese Hackers Breached Ambassador’s Email
Details of the campaign have emerged gradually over the past few months.
In July, Microsoft revealed a Chinese cyber-espionage campaign had compromised at least 25 organizations including the US government. It said threat actors gained access to customer email accounts via Outlook Web Access in Exchange Online (OWA) and Outlook.com by forging authentication tokens.
The actor used an “acquired” Microsoft account MSA key to forge tokens to access OWA and Outlook.com, Redmond said, adding that they also exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail.
Earlier this month it emerged that the threat actors had actually obtained the signing key after first breaching the account of a Microsoft engineer. In April 2021, an “unfortunate event” occurred: a system crash resulted in the key being leaked into a crash dump of data which subsequently could be accessed via the engineer’s account.
It was also revealed that Storm-0558 had exploited a zero-day validation issue in the GetAccessTokenForResourceAPI, enabling it to forge signed access tokens and impersonate accounts within the State Department and other targeted organizations.