Storm-0558—Chinese Cyber Attack on US Government Organizations
By: Craig Kennedy
Storm-0558—Chinese Cyber Attack on US Government Organizations
On July 11th 2023, Microsoft disclosed that a Chinese intelligence group named Storm-0558 had hacked into Microsoft email accounts belonging to 25 organizations in the United States and Western Europe, including the State Department and the Department of Commerce. The breach was discovered by the State Department and reported to Microsoft and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) on June 16th 2023.
Who is Storm-0558?
Storm-0558 is a China-based threat actor that has targeted European and US government entities as well as individuals politically aligned to Taiwan or Uyghur interests, with the intent to obtain unauthorized access to email accounts of the targeted organization. It has historically used credential harvesting, phishing campaigns, and OAuth token attacks to gain access to Microsoft accounts dating back to August 2021. Storm-0558 Storm-0558
How Did They Get In?
The hackers were able to obtain a Microsoft account (MSA) consumer signing key and use it to exploit a vulnerability in Microsoft’s token generation API services to forge authentication tokens for both Azure AD Enterprise and MSA consumer. This provided the attackers with broad access to Outlook Web Access (OWA) and Outlook.com accounts as early as May 15th 2023, a month before the issue was initially discovered. Storm-0558 Storm-0558
Targeted Attack
As is typical for Storm-0558, this was a highly targeted attack, focusing on US government agencies. Emails for Gina Raimondo – Commerce Secretary, Nicholas Burns – U.S. Ambassador to China, and Daniel Kritenbrink – Assistant Secretary of State for East Asia, were among those hacked as part of this Microsoft cyber breach. Overall, around 25 organizations were impacted by this breach including government agencies, but as reported by CISA, no classified documents were taken.
Mitigation and Remediation
Microsoft patched the vulnerability in its token generation API and revoked all previously active keys and reissued new keys on June 27th 2023. They additionally added automated detections for known indicators of compromise (IoC) associated with this attack and to date haven’t found any evidence of further access.
Bottom Line
This security breach should serve as a wake-up call for all C-level execs and board of directors. Microsoft’s cybersecurity team is highly skilled and if they can fall victim to a cyber breach of this scale, every organization can. Boards need to ensure they’re taking necessary steps to secure their organizations in this era of cyber warfare.
See the Predictions You Need to Know for 2024 and Beyond for our 3rd Transform Tour Stop!
Airing LIVE on Thursday, September 21st at 10 AM PT | 1 PM ET
What You Need to Know to Survive and Thrive in 2024 and Beyond
Join us on Thursday, September 21st, for exclusive early access to Aragon Research’s predictions for 2024 and beyond. These impactful and actionable predictions are essential for your strategic and operational planning for the upcoming years; crush your goals, and surpass your competitors.
This blog is a part of the Digital Operations blog series by Aragon Research’s Sr. Director of Research, Craig Kennedy.
Missed an installment? Catch up here!
Have a Comment on this?