Microsoft has revealed how a group of Chinese hackers, dubbed Storm-0558, managed to steal one of its email signing keys and use it to compromise the accounts of several US government officials and diplomats. The breach, which occurred in April 2021, was part of a targeted espionage campaign that aimed to access the unclassified emails of US officials and diplomats.

How the hackers obtained the key

The key in question was a consumer signing key that was used to secure the email accounts of users. Microsoft said that this key was entrusted only to employees who had undergone a background check and used dedicated workstations protected by multi-factor authentication. However, in April 2021, a system crash in the consumer key signing process produced a snapshot image of the system that contained the key. This image was then moved from an isolated production network into Microsoft’s debugging environment on the internet connected corporate network.

Microsoft said that its systems failed to detect the key in the snapshot image because they did not have logs with specific evidence of its exfiltration. The snapshot image was then moved again from the debugging environment to another network where it was stored for further analysis.

Meanwhile, at some point after the snapshot image was moved, Storm-0558 hackers were able to compromise a Microsoft engineer’s corporate account, which had access to the debugging environment where the snapshot image containing the consumer signing key was stored. Microsoft said it cannot be completely certain how this happened, but it is likely that the hacker exploited a vulnerability in Microsoft’s credential scanning methods.

How the hackers used the key

Once they had access to the debugging environment, Storm-0558 hackers were able to access the snapshot image containing the consumer signing key. They then used this key to forge authentication tokens for Microsoft’s Azure Active Directory cloud service, which is used to secure enterprise and corporate email accounts.

Microsoft said that its email systems were not automatically or properly performing key validation, which meant that Microsoft’s email system would accept a request for enterprise email using a security token signed with the consumer key. This allowed Storm-0558 hackers to impersonate high-profile users such as US Commerce Secretary Gina Raimondo and US Ambassador to China Nicholas Burns.

What Microsoft is doing about it

Microsoft said that it has taken several steps to mitigate this incident and prevent future breaches. These include:

Microsoft also said that it is working closely with affected customers and partners to help them recover from this incident and restore their trust in Microsoft’s products and services.

Why this matters

This incident is significant for several reasons:


¹: Microsoft finally explains cause of Azure breach: An engineer’s account was hacked | Ars Technica
²: Microsoft explains that Chinese hackers leveraged a stolen signing key from a Windows crash dump to compromise US government accounts
³: Chinese hackers stole signing key used to breach US officials’ emails from Microsoft engineer, company says
⁴: Microsoft reveals how hackers stole its email signing key… kind of | TechCrunch
⁵: Chinese hackers stole signing key used to breach US officials’ emails …