Chinese Threat Actors Stole Around 60,000 Emails from US State Department in Microsoft Breach

Cyber Security Threat Summary:
China-linked hackers breached Microsoft's email platform in May and stole tens of thousands of emails from U.S. State Department accounts, according to a Senate staffer. During a briefing by State Department IT officials, it was revealed that threat actors targeted around 60,000 emails from a total of 10 State Department accounts belonging to officials working in East Asia, the Pacific, and Europe.

The compromised accounts primarily focused on Indo-Pacific diplomacy. Although the stolen emails were unclassified, the breach raised concerns about cybersecurity. Microsoft had previously mitigated an attack by a China-linked threat actor known as Storm-0558, which targeted customer emails, including government agencies in Western Europe. The attackers exploited a token validation issue and forged authentication tokens to gain access to email accounts. Microsoft's investigation revealed that the threat actors had stolen a signing key from a Windows crash dump in April 2021, which contributed to the breach.

Security Officer Comments:
Microsoft researchers discovered that the threat actors gained access to customer email accounts using Outlook Web Access in Exchange Online (OWA) and Outlook[.]com by forging authentication tokens to access user email. The attackers used an acquired MSA key to forge the tokens to access OWA and Outlook[.]com. The attackers exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail. In early September, Microsoft shared a comprehensive technical investigation into the way attackers gained access to the Microsoft account consumer signing key.

Suggested Correction(s):
The IT giant announced it had revoked all valid MSA signing keys to prevent attackers from accessing other compromised keys. Below are the improvements implemented after the investigation:

  • Identified and resolved race Condition that allowed the signing key to be present in crash dumps.
  • Enhanced prevention, detection, and response for key material erroneously included in crash dumps.
  • Enhanced credential scanning to better detect presence of signing key in the debugging environment.
  • Released enhanced libraries to automate key scope validation in authentication libraries, and clarified related documentation.