Microsoft repelled Chinese spies targeting Western European Governments

On Tuesday, Microsoft announced that it successfully fended off a cyber assault launched by a Chinese state-sponsored actor aimed at around two dozen organizations, including government agencies. The attack was part of a cyber espionage campaign to obtain confidential information.

ICYMI and in summary – Chinese government hackers that MSFT calls #Storm0558 targeted the email accounts of USA government agencies via Azure (Cloud). Other "undisclosed nations" were also affected.

Notes: I personally, after review don't think we've seen the end of this but…

— Laura Love (@Panopticonomy) July 13, 2023

According to the report: “Microsoft has mitigated an attack by a China-based threat actor Microsoft tracks as Storm-0558 which targeted customer emails. Storm-0558 primarily targets government agencies in Western Europe and focuses on espionage, data theft, and credential access.”

What’s the point of initiation?

The offensive, which began on May 15, 2023, involved unauthorized access to email accounts, impacting approximately 25 entities and a small number of individual consumer accounts.

Microsoft attributed the operation to a Chinese-based nation-state group known as Storm-0558. The group predominantly targets government agencies in Western Europe and focuses on espionage, data theft, and obtaining credentials. They utilize custom malware, named Cigril and Bling by Microsoft, to gain access to credentials.

The breach was discovered a month later, on June 16, 2023, after an unidentified customer reported suspicious email activity to Microsoft.

Did Microsoft act responsibly?

Microsoft promptly notified affected organizations and agencies through their administrators. However, Microsoft did not disclose the specific entities and the number of compromised accounts. 

• The attackers exploited a vulnerability in Outlook Web Access in Exchange Online (OWA) and Outlook.com by forging authentication tokens, allowing them access to customer email accounts. 
• They used an acquired MSA (Microsoft Account) key to create fake tokens and gain entry to OWA and Outlook.com. Microsoft clarified that MSA keys and Azure AD (Active Directory) keys are issued and managed separately and should only be valid for their respective systems.

No evidence suggests that the threat actor utilized Azure AD keys or any other MSA keys during the attacks. Microsoft has taken measures to block the usage of tokens signed with the acquired MSA key in OWA to mitigate the attack.

Microsoft Security’s Executive Vice President Charlie Bell emphasized that “this espionage-driven adversary seeks to exploit credentials and gain unauthorized access to sensitive systems.”

Concluding remarks

This incident highlights the consistent threat of nation-based attackers, who are ready to exploit sensitive information. Cybersecurity has become a challenge in this growing digital environment, and we must know what’s happening.