Chinese hackers breached US and European government email through Microsoft bug

Updated at 4:30 p.m. EST to include information from senior government officials.

A Chinese hacking group exploited a bug in Microsoft’s cloud email service to spy on two-dozen organizations, including some government agencies, the tech giant said late Tuesday.

Described as a “well-resourced adversary,” the threat actor tracked by Microsoft as Storm-0558 has primarily targeted government agencies in Western Europe and focused on espionage, data theft, and credential access.

“Storm” and the four-digit number is a temporary name used by Microsoft to track new or unknown hacking groups.

Microsoft began investigating the incidents in June after one of its customers reported the bug. According to White House National Security Council spokesperson Adam Hodge, the vulnerability was first detected by the U.S. government.

The investigation revealed that since May, the Chinese advanced persistent threat group gained access to email data from approximately 25 organizations, including government agencies, as well as related consumer accounts linked to individuals connected to these organizations.

The hackers used an acquired Microsoft consumer signing key to forge tokens to access Outlook email client services, according to a technical analysis of the incident.

Microsoft said it successfully mitigated the attack for all customers and blocked the group’s activity.

The NSC’s Hodge told The New York Times that no classified networks had been affected by the hack, but an investigation into how much information was stolen is still ongoing.

Microsoft didn’t identify the organizations and agencies affected.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in an advisory on Wednesday that a Federal Civilian Executive Branch (FCEB) agency first identified suspicious activity in their Microsoft 365 cloud environment in June, which it reported to Microsoft.

CISA Director Jen Easterly said the agency worked with Microsoft and impacted organizations “to quickly understand and remediate the threat.”

A senior CISA official said during a media briefing on Wednesday that the number of U.S. organizations affected by the breach was in the single digits but didn’t specify which agencies were compromised.

The official confirmed that the recent campaign did not impact any classified systems or data, and the hackers were only able to access limited unclassified Outlook mailboxes and the data contained within them.

This reflects the “tailored surgical nature of this campaign,” he said.

Microsoft said it has also partnered with the Department of Homeland Security’s cyber defense agency to address the breach.

The U.S. Senate Intelligence Committee is also “closely monitoring” the incident, its chair Mark Warner said Wednesday.

“It’s clear that the People's Republic of China is steadily improving its cyber collection capabilities directed against the U.S. and our allies,” he said.

Commenting on some U.S. media reports about the attack, Chinese Foreign Ministry spokesperson Wang Wenbin said on Wednesday that instead of spreading false information, the U.S. should respond to accusations about its own attacks targeting China. Wenbin also called the U.S. “the world's largest hacking empire and a cybercriminal,” according to Chinese state newspaper Global Times.

The latest China-linked cyberattack comes months after Microsoft discovered another Chinese nation-state hacker group, known as Volt Typhoon, spying on U.S. civilian and military infrastructure, including a naval base in Guam.

Additional reporting by Jonathan Greig