Microsoft is still investigating how a China-linked hacking group managed to acquire an inactive Microsoft account consumer signing key and forged tokens to steal emails from the U.S. State Department. The threat actor also accessed data from about two dozen other organizations.
Microsoft has since hardened key issuance systems, revoked all prior keys and issued new keys using updated systems. The company said the upgrades will disrupt the mechanism the hackers possibly used to acquire the MSA keys and said it has since seen the hacker try to use different techniques.
Microsoft attributed the attack to Storm-0558 and released additional analysis Friday, just days after officials outlined a targeted cyberattack against 25 organizations across the globe. The campaign led to the theft of State Department emails and reportedly stole emails from Commerce Secretary Gina Raimondo.
The FBI and Cybersecurity and Infrastructure Security Agency released updated guidance on the threat activity on Friday, incorporating findings from the Microsoft investigation. The agencies are urging organizations to enable audit logging and harden cloud environments.
Peter Firstbrook, VP analyst at Gartner, said the attacks are an example of how attackers are targeting the identity system to gain credentialed access.
China-based threat actor Storm-0558 has been active in recent years targeting European or U.S. diplomatic, economic or legislative bodies. The group has also targeted media companies, think tanks and telecom equipment and service providers, according to Microsoft.
Most of the attacks involved stealing emails of employees, using credential harvesting, phishing and OAuth token attacks, Microsoft said. Past campaigns have led to web shells, including so-called China Chopper, placed on compromised servers.
The attackers previously deployed a malware family known as Cigril.
Microsoft took several steps starting in late June to help protect customers from future attacks:
- Starting June 26, Outlook Web Access stopped accepting tokens issued by GetAccessTokensForReseource for renewal.
- June 27, Microsoft blocked use of tokens signed with acquired MSA key in OWA, which prevents additional enterprise mail activity by malicious actors.
- June 29, Microsoft completed replacement of the key to stop the hackers from using it to forge tokens.
- July 3, Microsoft blocked usage of the key for all impacted consumer customers.