Image: Tadas Sar via Unsplash
Image: Tadas Sar via Unsplash

Microsoft details a chain of mishaps leading to Outlook hack on government officials

A China-based hacking group was able to attack U.S. government email accounts earlier this year because it found information about a digital key after compromising a Microsoft engineer’s corporate account, the company reported Wednesday.

In essence, a file that should have remained in an isolated Microsoft network found its way over the course of about two years into the hands of the cyber-espionage group tracked as Storm-0558, the company said in a blog post.

The report addresses the question of how China-based hackers were able to create their own authentication tokens to access cloud-based Outlook email accounts of high-ranking U.S. officials. Storm-0558 needed a digital key from Microsoft’s signing system to make the tokens. According to the company, a chain of events led to a key’s exposure.

“Our investigation found that a consumer signing system crash in April of 2021 resulted in a snapshot of the crashed process (“crash dump”). The crash dumps, which redact sensitive information, should not include the signing key,” Microsoft said.

The key’s presence in the crash dump wasn’t detected, the company said, and the file was “subsequently moved from the isolated production network into our debugging environment on the internet connected corporate network,” per Microsoft’s standard debugging processes.

Further scanning methods didn’t detect the key’s presence, the company said. Later, Storm-0558 was able to compromise the engineer’s account.

“This account had access to the debugging environment containing the crash dump which incorrectly contained the key,” Microsoft said. “Due to log retention policies, we don’t have logs with specific evidence of this exfiltration by this actor, but this was the most probable mechanism by which the actor acquired the key.”

The company said it has fixed numerous problems that allowed for the leak of the key. The phrase “this issue has been corrected” appears five times in the report.

Storm-0558 had illicit access to the email accounts beginning May 15. Targets included Secretary of Commerce Gina Raimondo and U.S. Ambassador to China Nicholas Burns, in the weeks before weeks before Secretary of State Antony Blinken traveled to Beijing for talks on U.S. restrictions on tech exports to China.

The hack drew intense scrutiny from the U.S. government, Microsoft and cybersecurity experts. The federal Cyber Safety Review Board, recently established to report on major cybersecurity incidents, announced that cloud computing safety — and specifically the Outlook breach — would be the focus of its next report.

Alexander Martin contributed to this story.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Joe Warminsky

Joe Warminsky

is the news editor for Recorded Future News. He has more than 25 years experience as an editor and writer in the Washington, D.C., area. Most recently he helped lead CyberScoop for more than five years. Prior to that, he was a digital editor at WAMU 88.5, the NPR affiliate in Washington, and he spent more than a decade editing coverage of Congress for CQ Roll Call.