After receiving a report from a US federal government agency, Microsoft discovered that a Chinese espionage actor it calls Storm-0558 gained access to its cloud-based Outlook Web Access in Exchange Online (OWA) and Outlook.com unclassified email service for about a month starting on May 15, 2023, as part of a targeted campaign that affected 25 organizations. The Chinese hackers gained access to email data by using forged authentication tokens obtained via a Microsoft account signing key, although it’s unclear if Microsoft itself experienced a breach. The software giant mitigated this attack for all customers without requiring any action on their part and said it added “substantial automated detections for known indicators of compromise associated with this attack to harden defenses and customer environments.”
Although Microsoft did not name the initial reporting agency, the US State Department was the first to detect the espionage campaign. The date of the hack’s discovery in June was close to the time of Antony Blinken’s travel to China, the first US secretary of state to visit Beijing in five years.
The Chinese threat actors also breached emails at the Commerce Department, including that of Secretary Gina Raimondo. The Commerce Department has been active in limiting the US export of technology to China, given the country’s active surveillance activities and aggressive military modernization.
While Microsoft attributes the campaign to China, the US government has refrained from doing so. “In terms of attribution, the sophistication of this attack where actors were able to access the mailbox content of victims is indicative of APT activity, but we are not prepared to discuss attribution at a more specific level,” a senior FBI official told reporters.
Although government officials won’t reveal which agencies or how many accounts were affected, “The number of United States organizations is in the single digits, and the number of impacted accounts for each was a small number,” a senior CISA official told reporters. “This appears to have been a very targeted surgical campaign that was not seeking the breadth of access that we have seen in other campaigns such as SolarWinds.”
Audit logging was crucial to the campaign’s discovery
Following Microsoft’s announcement of the campaign, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory (CSA), the Enhanced Monitoring to Detect APT Activity Targeting Outlook Online, to guide agencies and critical infrastructure organizations on enhancing monitoring in Microsoft Exchange Online environments.