A Chinese hacking group breached email accounts of several US and Western European government agencies. What was their modus operandi and primary motive?
On July 11 2023, Microsoft released information indicating that the email accounts of multiple US federal agencies and Western European government agencies were accessed by threat actors, and sensitive data was exfiltrated. This attack had been underway for several weeks but went undetected. Threat actors gained unauthorized access to Outlook Web Access (OWA) in Exchange Online and Outlook.com to obtain access to sensitive emails.
Analysis of the Attack: Techniques, Vulnerabilities, and Implications
The threat actor obtained access to an inactive MSA consumer signing key and used it to forge authentication tokens for Azure AD enterprise and subsequently obtain unauthorized access to Exchange Online mailboxes. The offensive actions leveraged multiple vulnerabilities and validation issues in the Cloud security infrastructure of Azure AD, and Exchange Online. For information about advisories and research articles on the attack, see Microsoft’s blog post.
This was a nation-state attack with espionage as the motive. The attack has been attributed to Storm-0558, a sophisticated APT threat actor that identified the target mailboxes and exfiltrated sensitive data present in emails.
The primary offensive mechanisms were Identity Attacks and Data Compromise.
Cloud Security: A Shared Responsibility
Cloud services have a shared security model. The cloud service provider is responsible for the security of the cloud infrastructure and the enterprise is responsible for the security of data stored in the cloud.
As part of this shared responsibility model, enterprises need to build their own defense-in-depth mechanisms for security.
The Storm-0558 attack was performed entirely on Cloud infrastructure (Azure AD, Exchange Online). This is just another proof that mature SaaS services can also be breached.
Enterprises need to build defense mechanisms to detect threats against identities and data, such as the emails that were compromised in this attack.
Microsoft announced that it has mitigated this specific threat. However, the threat actor has moved to new offensive techniques, and it is only a matter of time before the threat returns.
The threat actor, Storm-0558, has been active in multiple offensive campaigns and continues to evolve their offensive techniques to evade detection. In the past, Storm-0558 has used custom malware such as Bling and Cigril to facilitate credential stealing.
The latest attack involved the use of forged Azure AD authentication tokens. This is a new technique that had not been used by this threat actor in the past.
Microsoft has deployed mitigation mechanisms to prevent this technique. As the Microsoft research blog indicates, the threat actor has been observed to transition to other techniques. We can expect that Storm-0558 will be back soon with new techniques. Enterprises need to strengthen their defense to stay ahead of evolving threats.
Storm-0558 Exposes Limits of Log Analytics as a Defense Technique
Enterprises are currently relying on log analytics as the only defense mechanism to protect identities and data in the cloud. Log analytics has several challenges as a detection mechanism:
- Relevant logs are not always available. In this case, the cloud security log access was limited to enterprises with the highest Microsoft subscription level. Many agencies did not have access to the logs, leaving them entirely oblivious to the threat activity.
- Log analytics is time-consuming and slow. Advanced offensive techniques that leverage sophisticated attacker techniques such as the token forgery performed by Storm-0558 are very difficult to detect using log analytics. It took over a month for the first agency to detect anomalous actions.
Empowering Zero Trust Identity and Data Protection with Acalvio’s Deception Technology
Deception provides important benefits with no dependency on logs. Deception-enabled detection is always a high-fidelity advantage, and it is agnostic to the specific techniques leveraged by the adversary. Enterprises looking for protection from emerging threats such as Storm-0558 should deploy deception-based defense.
FAQs on Microsoft Email Hack
1. What information was stolen in the Microsoft email hack?
Microsoft investigations determined that Storm-0558 compromised approximately 25 email accounts, including government agencies, as well as related consumer accounts linked to individuals associated with these organizations.The exact details of the theft remains uncertain, but the driving force behind the act was espionage.
2. How did the hackers gain access to email accounts?
The APT group used some novel exploits to achieve this attack by abusing signing and access keys. They used a stolen inactive consumer signing key (MSA key) to forge Azure AD tokens. The forged Azure AD tokens were then used to generate access tokens and steal email via the Outlook Mail API.
3 .What has Microsoft done to mitigate the risk of further attacks?
Microsoft has mitigated the acquired MSA key and taken the following preemptive measures:
- Microsoft blocked the usage of tokens signed with the acquired MSA key in OWA preventing further threat actor enterprise mail activity.
- Microsoft completed the replacement of the key to prevent the threat actor from using it to forge tokens.
- Microsoft blocked usage of tokens issued with the key for all impacted consumer customers.
4 .What can organizations do to protect themselves from similar attacks?
Organizations seeking security against such emerging threats should consider implementing a defense strategy centered around Deception Technology.
References
Authors
