Last month, the U.S. State Department identified anomalous activity and alerted Microsoft to the attack, according to a spokesperson. A subsequent investigation by the company determined that the hackers accessed and exfiltrated unclassified Exchange Online Outlook data from a small number of accounts,” according to a statement from the U.S. Cybersecurity and Infrastructure Security Agency, known as CISA.
The U.S. Commerce Department was also breached and took immediate action after being notified by Microsoft, a spokesperson said. The department is monitoring its systems and would respond promptly if additional activity is detected, the spokesperson added.
It wasn’t known which other U.S. agencies were affected by the breach, but a senior official said the number was in the single digits.
In an interview with ABC News on Wednesday morning, national security adviser Jake Sullivan said, “We detected it fairly rapidly, and we were able to prevent further breaches. The matter is still being investigated.”
In a blog post published Tuesday night, Microsoft described the group behind the attack as China-based and named it Storm-0558. The hackers were able to remain undetected for a month after gaining access to email data from around 25 organizations in mid-May.
“We assess this adversary is focused on espionage, such as gaining access to email systems for intelligence collection,” Charlie Bell, an executive vice president at Microsoft, wrote in another post.
It also wasn’t clear which European governments were affected. Italian cybersecurity officials said they were in contact with Microsoft “in order to identify potential Italian subjects involved in the latest attacks.”
Asked about the findings, China’s Foreign Ministry spokesman Wang Wenbin, at a regular briefing Wednesday, accused the U.S. of being the world’s largest cyberattacker.
U.S. officials described the attacks as targeted and focused on a small number of accounts at the agencies that were breached, as opposed to hack seeking to steal large amounts of data. CISA and the FBI issued a joint advisory urging organizations to harden their Microsoft 365 cloud environments.
The hacking campaign got underway in the weeks before Secretary of State Antony Blinken arrived in Beijing to meet with top officials, including Chinese President Xi Jinping.
A key remaining question is how the hackers were able to pull of the breach.
The hackers used “forged authentication tokens to access user email using an acquired Microsoft account (MSA) consumer signing key,” Microsoft’s Bell said in his post. The hackers were then able to access Outlook email hosted on systems run and operated by Microsoft.
But how hackers obtained the signing key that gave them access to these emails remains unknown.
“The big question here really is where did they get the MSA-key to sign tokens,” said Sami Laiho, a computer security expert who specializes in Microsoft products. One possible explanation, Laiho said, is if Microsoft itself was breached.
Microsoft didn’t immediately respond to a request for comment about how hackers obtained the signing key.
The senior official used the news of the breach to highlight a source of tension between Microsoft and the U.S. government: logging. Logs allow cybersecurity investigators to dig through digital clues left behind on their own systems to figure out if they’ve been hacked and who may be responsible.
More advanced logging can capture and record granular actions made by a user, like if a certain email was accessed.
At issue is whether Microsoft should sell logging as a premium add-on for government customers or include it in its product for free.
A lack of logging complicated the investigation into the so-called SolarWinds attack, which was disclosed in 2020. In that episode, Russian state-sponsored hackers installed a malicious update in software made by SolarWinds Corp., which installed a digital backdoor which they could then use to further infiltrate SolarWinds customers. Ultimately, nine US agencies about 100 companies were breached via the SolarWinds update and other methods.
Microsoft offered its premium logging feature for free for about a year in the wake of the SolarWinds hack. CISA and others have said that logs should be free, maintaining that they are crucial for detecting and investigating security incidents.
On Wednesday, the senior officials said some of the affected U.S. agencies paid for a premium logging feature and were able to detect the breach on their own. Microsoft, which retains the logs, was able to identify others who were hacked but don’t pay for logging.
Requiring organizations to pay for better logging is a recipe for inadequate visibility into what has occurred in networks, the official said, adding that the issue requires urgent attention.
© 2023 Bloomberg L.P. Distributed by Tribune Content Agency, LLC.