Microsoft still doesn’t know — or want to share — how China-backed hackers stole a key that allowed them to stealthily break into dozens of email inboxes, including those belonging to several federal government agencies.
In a blog post Friday, Microsoft said it was a matter of “ongoing investigation” how the hackers obtained a Microsoft signing key that was abused to forge authentication tokens that allowed the hackers’ access to inboxes as if they were the rightful owners. Reports say targets include U.S. Commerce Secretary Gina Raimondo, U.S. State Department officials and other organizations not yet publicly revealed.
Microsoft disclosed the incident last Tuesday, attributing the month-long activity to a newly discovered espionage group it calls Storm-0558, which it believes has a strong nexus to China. U.S. cybersecurity agency CISA said the hacks, which began in mid-May, included a small number of government accounts said to be in the single digits and that the hackers exfiltrated some unclassified email data. While the U.S. government has not publicly attributed the hacks, China’s top foreign ministry spokesperson denied the allegations on Wednesday.
Where China has used previously unknown vulnerabilities to individually hack into Microsoft-powered email servers to steal corporate data, this hacking group instead went directly to the source by targeting new and undisclosed vulnerabilities in Microsoft’s cloud.
In its blog post, Microsoft said the hackers acquired one of its consumer signing keys, or MSA key, which the company uses to secure consumer email accounts, like for accessing Outlook.com. Microsoft said it initially thought the hackers were forging authentication tokens using an acquired enterprise signing key, which are used to secure corporate and enterprise email accounts. But, Microsoft found that the hackers were using that consumer MSA key to forge tokens that allowed them to break into enterprise inboxes. Microsoft said this was because of a “validation error in Microsoft code.”
Microsoft said it has blocked “all actor activity” related to this incident, suggesting that the incident is over and that the hackers lost access. Though it’s unclear how Microsoft lost control of its own keys, the company said it’s hardened its key issuance systems, presumably to prevent hackers from churning out another digital skeleton key.
The hackers made one key mistake. By using the same key to raid several inboxes, Microsoft said this allowed investigators “to see all actor access requests which followed this pattern across both our enterprise and consumer systems.” To wit, Microsoft knows who was compromised and said it notified those affected.
With the immediate threat thought to be over, Microsoft now faces scrutiny for its handling of the incident, thought to be the biggest breach of unclassified government data since the Russian espionage campaign that hacked SolarWinds in 2020.
As noted by Ars Technica’s Dan Goodin, Microsoft went to great lengths to do damage control in its blog post, avoiding terms like “zero-day,” referring to when a software maker has zero days notice to fix a vulnerability that has already been exploited. Whether or not the bug or its exploitation fits everyone’s definition of a zero-day, Microsoft went out of its way to avoid describing it as such, or even to call it a vulnerability.
Compounding the key leak and its misuse was a lack of visibility into the intrusions by the government departments themselves. Microsoft is also taking heat for reserving security logs for the government accounts with the company’s top-tier package that may have helped other incident responders identify malicious activity.
CNN first reported that the State Department initially detected the breach and reported it to Microsoft. But not every government department had the same level of security logging, which according to The Wall Street Journal was available to departments with higher-paid tier Microsoft accounts but not others. Mary Jo Foley, editor in chief of Directions on Microsoft, a consultancy firm for Microsoft customers, said in a blog post Monday that the lower government tier offers some logging, but “does not keep track of specific mailbox data which would have revealed the attack.” A CISA official criticized the lack of available logging in a call with reporters last week. Microsoft told the Journal that it was “evaluating feedback.”
Microsoft’s expanded disclosure on Friday offered a glimmer of more technical details and indicators of compromise that incident responders can check if their networks were targeted, the technology giant still has questions to answer. Whether or not Microsoft has the answers ready, it’s not likely to be an investigation the technology giant can shake any time soon.