Microsoft: Chinese hackers used code flaw to steal emails from US agencies

Microsoft says Chinese hackers misappropriated one of its digital keys and used a flaw in the company's code to steal emails from US government agencies and other clients for intelligence gathering.

The company said in a blog post, Friday, that the hackers were able to use the key - which they acquired under undisclosed circumstances - and take advantage of "a validation error in Microsoft code" to carry out their cyberespionage campaign.

The blog provided the most fulsome explanation yet for a hack that rattled both the cybersecurity industry and China-US relations. Beijing has denied any involvement in the spying.

Microsoft and US officials said on Wednesday night that Chinese state-linked hackers had been secretly accessing email accounts at around 25 organizations.

On July 11, Microsoft published “two blogs detailing a malicious campaign by a threat actor tracked as Storm-0558 that targeted customer email that we’ve detected and mitigated.”

US officials said those targeted included at least two government agencies: the State and Commerce Departments. Personnel from the US House of Representatives have also reported being affected.

The intrusion activity began in May and continued for roughly one month. Microsoft said they identified the malicious campaign on June 16th.

Secretary of State Antony Blinken told China's top diplomat, Wang Yi, in a meeting in Jakarta on Thursday that any action that targets the US government, US companies, or American citizens "is of deep concern to us, and that we will take appropriate action to hold those responsible accountable," according to a senior State Department official.

Microsoft's blog post did not explain how the hackers got their hands on one of the company's digital keys, leading some experts to speculate that Microsoft itself had been hacked ahead of the thefts.

The company did not immediately respond to questions about the key.

“Microsoft Threat Intelligence assesses with moderate confidence that Storm-0558 is a China-based threat actor with activities and methods consistent with espionage objectives,” Microsoft said Friday in a security blog post.

“While we have discovered some minimal overlaps with other Chinese groups such as Violet Typhoon (ZIRCONIUM, APT31), we maintain high confidence that Storm-0558 operates as its own distinct group, the blog post said.

The breach has thrown Microsoft's security practices under scrutiny, with officials and lawmakers calling on the Redmond, Washington-based company to make its top level of digital auditing, also called logging, available to all its customers free of charge.

Microsoft said in a statement late on Thursday that it was taking the criticism on board.

"We are evaluating feedback and are open to other models," the company said, adding that it was "actively engaged" with US officials on the matter.

US Personnel Targeted

US Commerce Department Secretary Gina Raimondo was said to be among the group of senior US officials whose emails were hacked.

The Chinese Ministry of Foreign Affairs called the accusations "disinformation" in a statement to Reuters earlier this week.

Raimondo's department has implemented a series of export control policies against China, curbing the transfer of semiconductors and other sensitive technologies.

A Commerce Department spokesperson said on Wednesday that Microsoft had notified the agency of "a compromise to Microsoft’s Office 365 system, and the Department took immediate action to respond." But the spokesperson declined to comment on an intrusion against Raimondo specifically.

A report by the US inspector general's office in March sharply criticized the Commerce Department's “fundamental deficiencies” in its cybersecurity incident response program, saying it violated security protocols, did not properly use cyber-protection tools, and poorly handled simulated cyberattacks.

A storm in the cloud

For years individuals, organizations, and governments have been moving their emails, spreadsheets, and other data off their own servers and onto Microsoft's, taking advantage of cost savings and the integration of Microsoft’s suite of office tools.

At the same time, Microsoft has promoted the use of its own security products, prompting some clients to abandon what they saw as redundant antivirus programs.

The process of migrating an organization's data and services to a big tech firm is sometimes called "moving to the cloud."

It can boost security, especially for small organizations that lack the resources to run their own IT or security departments.

But competitors squeezed by Microsoft's security offering are sounding the alarm over how wide swaths of industry and government were effectively putting all their eggs in one basket.

"Organizations need to invest in security," Adam Meyers of cybersecurity company CrowdStrike said in an email distributed to journalists on Wednesday.

"Having one monolithic vendor that is responsible for all of your technology, products, services and security can end in disaster."

Frustration is also building with Microsoft's licensing structure, which charges customers extra for the ability to see detailed forensic logs.

The issue has been a point of contention between some companies and US government ever since a hack of business software company SolarWinds was disclosed in 2020.

Tuesday, Microsoft revealed they had discovered the Chinese threat actor had successfully targeted the email accounts for intelligence collection but primarily identified the victims as government agencies in Western Europe.

---

More from Cybernews:

Infrastructure at risk: can trains be hacked?

BreachForum’s owner pleads guilty to possessing videos of minors

Shutterfly, Discovery, AMC Theatres named in MOVEit attacks

Honeywell confirms impact by MOVEit hacks

Google’s Bard poses ransomware risk, say researchers

Subscribe to our newsletter