Microsoft on Tuesday revealed that it was fending off cyber attacks carried out by Chinese nation-state actors targeting two dozen organizations, some of which included government agencies, in a cyber espionage campaign designed to obtain classified data.
The attack, which began on May 15, 2023, required access to email accounts affecting approximately 25 entities and a small number of associated individual consumer accounts.
The tech giant associated the campaign with Storm-0558, describing it as a China-based group of nation-state activities that primarily select government agencies in Western Europe.
“They focus on espionage, data theft, and credential access,” Microsoft said. “They are also known to use specific malware that Microsoft is tracking as Cigril and Bling, to access credentials.”
The breach is said to have been detected a month later on June 16, 2023, after an unidentified customer reported abnormal email activity to the company.
Microsoft says it has notified all targeted or compromised organizations directly through their tenant admins. It did not mention the affected organizations and agencies and the number of accounts that may have been hacked.
However, according to the Washington Post, the attackers too barged in unclassified number of US email accounts.
Access to customer email accounts, per Redmond, is facilitated through Outlook Web Access on Exchange Online (OWA) and Outlook.com by spoofing authentication tokens.
“The actor used what he got MSA key to forge tokens to access OWA and Outlook.com,” he explained. “MSA (consumer) keys and Azure AD (enterprise) keys are issued and managed from separate systems and should only apply to their respective systems.”
“Actor exploited a token validation issue to impersonate an Azure AD user and gain access to corporate email.”
Protecting Against Insider Threats: SaaS Master Security Posture Management
Worried about insider threats? We are here to help you! Join this webinar to explore practical strategies and secrets to proactive security with SaaS Security Posture Management.
There is no evidence that the threat actor used the Azure AD key or any other MSA key to carry out the attack. Microsoft has since blocked the use of tokens signed with MSA keys obtained in OWA to mitigate the attack.
“This type of adversary motivated by espionage seeks to misuse credentials and gain access to data residing on sensitive systems,” Charlie Bell, executive vice president of Microsoft Security, said.
The disclosure comes just over a month after Microsoft disclosed a critical infrastructure attack carried out by a Chinese adversarial collective called the Volt Typhoon (aka Bronze Silhouette or Vanguard Panda) that targeted the US.