An unnamed Federal Civilian Executive Branch (FCEB) agency in the US detected abnormal email activity in mid-June 2023, leading Microsoft to uncover a new China-related espionage campaign targeting two dozen organizations.
The details come from a joint cybersecurity advisory released by the US Cyber and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) on July 12, 2023.
“In June 2023, Federal Civilian Executive Branch (FCEB) agents identified suspicious activity in their Microsoft 365 (M365) cloud environment,” the authorities said. said. “Microsoft determined that an advanced persistent threat actor (APT) accessed and extracted unclassified Exchange Online Outlook data.”
While the name of the government agency was not disclosed, CNN And Washington Post reported it was the US Department of State, citing people familiar with the matter. Also targeted were the Department of Commerce and email accounts belonging to congressional staff, US human rights advocates and US think tanks. The number of affected organizations in the US is estimated is in single digits.
The disclosure came a day after the tech giant linked the campaign to an emerging “China-based threat actor” it tracked under the name Storm-0558, which primarily targets government agencies in Western Europe and focuses on espionage and data theft. The evidence gathered so far suggests that the malicious activity started a month before it was detected.
China, however, has denied accusations it was behind the hacking incident, calling The US is “the world’s largest hacking empire and cyber thieves” and that “it is time the US explained its cyber attack activities and stopped spreading disinformation to distract the public.”
The chain of attack requires cyberspies to leverage spoofed authentication tokens to gain access to customer email accounts using Outlook Web Access in Exchange Online (OWA) and Outlook.com. The token is forged using the obtained Microsoft Account Consumer Signing Key (MSA). The exact method for securing the lock is still unclear.
Protecting Against Insider Threats: SaaS Master Security Posture Management
Worried about insider threats? We are here to help you! Join this webinar to explore practical strategies and secrets to proactive security with SaaS Security Posture Management.
Also used by Storm-0558 to facilitate credential access are two special malware tools named Bling and Cigrilthe latter is characterized as a trojan that decrypts encrypted files and runs them directly from system memory to avoid detection.
CISA says FCEB agencies can identify violations by leveraging enhanced logging in Microsoft Purview Audit, specifically using MailItemsAccessed mailbox audit action.
The agency further recommends that organizations enable Audit Purview Logging (Premium), enable Microsoft 365 Unified Audit Logging (UAL), and ensure logs are searchable by operators to allow searching for such activity and distinguishing it from expected behavior in the environment.
“Organizations are encouraged to look for outliers and become familiar with archetypes to better understand abnormal traffic versus normal traffic,” added CISA and the FBI.