Microsoft changes signing key system breached by Chinese hackers to steal US gov’t data
Microsoft has announced changes to a system that was exploited by Chinese hackers over the last month that allowed them to access email accounts and spy on the inner workings of two dozen organizations, including government agencies, a lawmaker’s staff and even Commerce Secretary Gina Raimondo.
The tech giant has faced backlash for its handling of the hack, which it said began on May 15 when a group they call “Storm-0558” gained access to email accounts. The hackers infiltrated accounts by using forged authentication tokens, which are used to validate the identity of entities requesting access to resources — in this case, email.
The hackers used an inactive consumer signing key to create tokens for Azure Active Directory, an enterprise identity service that provides multifactor authentication, and Microsoft accounts (MSA) to access online Outlook services.
Microsoft previously said the group “exploited a token validation issue” during the attack, but the company did not elaborate on what specific vulnerability was used.
On Friday, it released a new blog that dove deeper into what happened and how it responded to the incident.
“The method by which the actor acquired the key is a matter of ongoing investigation,” they said. “Though the key was intended only for MSA accounts, a validation issue allowed this key to be trusted for signing Azure AD tokens. This issue has been corrected.”
While the company still did not explain the specific vulnerability exploited, the tech giant said it mitigated the token forgery technique “on customers’ behalf” — writing that on June 26, the webmail version of Outlook webmail stopped accepting tokens issued from the Azure program that was being abused by the hackers.
One day later, Microsoft blocked the usage of tokens signed with the key that had been acquired by the hackers, and by June 29 had replaced the key to stop the hackers from using it to forge new tokens.
Eventually, “Microsoft revoked all MSA signing which were valid at the time of the incident, including the actor-acquired MSA key.”
The company said it has “substantially hardened key issuance systems since the acquired MSA key was initially issued.”
“Microsoft has increased the isolation of these systems from corporate environments, applications, and users,” it said, and “refined monitoring of all systems related to key activity, and increased automated alerting related to this monitoring.”
The company has moved the MSA signing keys to a different location in their system, and on July 3 it blocked usage of the key for all impacted consumer customers “to prevent use of previously-issued tokens.”
No customer action is needed to prevent hackers from using the same tactics to access their Exchange or Outlook accounts.
Monitoring of the hackers, Microsoft said, shows that all activity related to this specific incident has been blocked. Company officials said they have seen Storm-0558 “transition to other techniques, which indicates that the actor is not able to utilize or access any signing keys.”
Microsoft attributed the campaign to a China-based threat actor interested in espionage on specific accounts, particularly within the U.S. government.
The attacks took place a month before Secretary of State Antony Blinken conducted a landmark visit to China, and Commerce Secretary Raimondo has been the face of some of the most stringent export rules on Chinese companies since President Biden took office in 2021.
While the group behind the campaign has ties to other Chinese government backed hacking groups, Microsoft said it is likely that Storm-0558 “operates as its own distinct group.”
Microsoft has previously seen it target “US and European diplomatic, economic, and legislative governing bodies, and individuals connected to Taiwan and Uyghur geopolitical interests.”
On a press call this week, a senior FBI official declined to attribute the email hacks to the Chinese government but said the U.S. government plans to “impose costs against the adversary and continuously evolve as we look to defend and fight back against our adversaries.”
The Chinese Embassy forcefully denied any involvement in the incident in a statement to Reuters.
Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.