Microsoft has revealed how a group of Chinese hackers, dubbed Storm-0558, managed to steal one of its email signing keys and use it to compromise the accounts of several US government officials and diplomats. The breach, which occurred in April 2021, was part of a targeted espionage campaign that aimed to access the unclassified emails of US officials and diplomats.
How the hackers obtained the key
The key in question was a consumer signing key that was used to secure the email accounts of Outlook.com users. Microsoft said that this key was entrusted only to employees who had undergone a background check and used dedicated workstations protected by multi-factor authentication. However, in April 2021, a system crash in the consumer key signing process produced a snapshot image of the system that contained the key. This image was then moved from an isolated production network into Microsoft’s debugging environment on the internet connected corporate network.
Microsoft said that its systems failed to detect the key in the snapshot image because they did not have logs with specific evidence of its exfiltration. The snapshot image was then moved again from the debugging environment to another network where it was stored for further analysis.
Meanwhile, at some point after the snapshot image was moved, Storm-0558 hackers were able to compromise a Microsoft engineer’s corporate account, which had access to the debugging environment where the snapshot image containing the consumer signing key was stored. Microsoft said it cannot be completely certain how this happened, but it is likely that the hacker exploited a vulnerability in Microsoft’s credential scanning methods.
How the hackers used the key
Once they had access to the debugging environment, Storm-0558 hackers were able to access the snapshot image containing the consumer signing key. They then used this key to forge authentication tokens for Microsoft’s Azure Active Directory cloud service, which is used to secure enterprise and corporate email accounts.
Microsoft said that its email systems were not automatically or properly performing key validation, which meant that Microsoft’s email system would accept a request for enterprise email using a security token signed with the consumer key. This allowed Storm-0558 hackers to impersonate high-profile users such as US Commerce Secretary Gina Raimondo and US Ambassador to China Nicholas Burns.
What Microsoft is doing about it
Microsoft said that it has taken several steps to mitigate this incident and prevent future breaches. These include:
- Expanding its security posture by applying additional protections such as encryption at rest and in transit for all data in transit.
- Enhancing its identity and access management capabilities by implementing stronger password policies and multi-factor authentication.
- Improving its threat intelligence capabilities by conducting regular analysis of malicious activity and sharing best practices with customers.
- Reporting this incident to law enforcement authorities and relevant stakeholders.
Microsoft also said that it is working closely with affected customers and partners to help them recover from this incident and restore their trust in Microsoft’s products and services.
Why this matters
This incident is significant for several reasons:
- It shows how hackers can exploit vulnerabilities in complex systems such as cloud services and email services.
- It demonstrates how hackers can use stolen keys or tokens to access sensitive data or systems without authorization.
- It reveals how hackers can leverage human factors such as credential theft or phishing attacks to gain access to valuable information or resources.
- It highlights how important it is for organizations to implement robust security measures such as encryption, authentication, monitoring, auditing, and backup.
Sources
¹: Microsoft finally explains cause of Azure breach: An engineer’s account was hacked | Ars Technica
²: Microsoft explains that Chinese hackers leveraged a stolen signing key from a Windows crash dump to compromise US government accounts
³: Chinese hackers stole signing key used to breach US officials’ emails from Microsoft engineer, company says
⁴: Microsoft reveals how hackers stole its email signing key… kind of | TechCrunch
⁵: Chinese hackers stole signing key used to breach US officials’ emails …