The government was hacked, Microsoft misplaced its keys. Microsoft still doesn’t know how China-backed hackers obtained a key that allowed them to covertly access dozens of email inboxes, including those of multiple federal government institutions. Microsoft doesn’t want to reveal this information.
The Microsoft stated in a blog post on Friday that it was still under “ongoing investigation” how the hackers got their hands on a Microsoft signature key, which they then used to fabricate authentication tokens that gave them access to inboxes as if they were the legitimate owners. Targets reportedly include U.S. Commerce Secretary Gina Raimondo, representatives of the U.S. State Department, and other groups that have not yet been made public.
Microsoft announced the incident on Tuesday, attributing the month-long activity to Storm-0558, a recently identified espionage outfit it believes has strong ties to China. The intrusions, which started in mid-May, involved a small number of government accounts, estimated to be in the single digits, and the hackers stole some unclassified email data, according to the U.S. cybersecurity organization CISA. The top spokesperson for China’s foreign ministry refuted the claims on Wednesday, despite the fact that the US government has not formally claimed responsibility for the hacks.
This hacker gang instead went straight to the source by focusing on fresh and unreported flaws in Microsoft’s cloud, unlike China, which leveraged previously unknown vulnerabilities to enable individual hacks into Microsoft-powered email systems to steal corporate data.
The government was hacked, Microsoft misplaced its keys.
Microsoft claimed in a blog post that the hackers had obtained one of its consumer signing keys, or MSA key, which is used by the corporation to encrypt user email accounts for services like Outlook.com. According to Microsoft, at first it was believed that the hackers were creating fake authentication tokens using an acquired business signing key to protect company and enterprise email accounts. However, Microsoft discovered that the hackers were creating fake tokens with that consumer MSA key in order to access enterprise inboxes. This, according to Microsoft, was brought on by a “validation error in Microsoft code.”
According to Microsoft, it has stopped “all actor activity” connected to this event, indicating that it is done and the hackers no longer have access.
Microsoft stated it had strengthened its key issuance processes, presumably to stop hackers from producing more digital skeleton keys, despite the fact that it is unclear how the business lost control of its own keys.
The hackers made a crucial error. Microsoft claimed that by using the same password to access multiple inboxes, investigators were able to “see all actor access requests which followed this pattern across both our enterprise and consumer systems.” Microsoft, for instance, claimed to have informed people affected and knew who was compromised.
Beside Microsoft is now under fire for how it handled the issue, which is believed to be the largest breach of unclassified government data since the Russian espionage campaign that compromised SolarWinds in 2020. The immediate threat is believed to have passed.
Microsoft misplaced its keys.
Dan Goodin of Ars Technica observed that Microsoft took great care to minimize the impact of its blog post by omitting terminology like “zero-day,” which refers to the situation in which a software developer has no time to repair a vulnerability that has already been exploited. Whether or not the flaw or its exploitation meets everyone’s definition of a zero-day vulnerability, Microsoft made a point of not labeling it as such.
The fact that government departments themselves were not aware of the incursions added to the key leak and its misuse. Microsoft is also under criticism for keeping security records, which may have aided other incident responders in identifying malicious behavior, for government customers using the company’s top-tier package.
CNN was the first to reveal that the State Department discovered the hack and alerted Microsoft to it. The Wall Street Journal said that departments with higher-paid tier Microsoft accounts had access to security logs, but other government departments did not.
In a blog post published on Monday, Mary Jo Foley, editor in chief of Directions on Microsoft, a consulting company for Microsoft users, claimed that while the lower government tier gives some logging, it “does not keep track of specific mailbox data which would have revealed the attack.” In a call with reporters last week, a CISA official lamented the lack of accessible logging. The Journal was informed by Microsoft that it was “evaluating feedback.”
Although Microsoft still has questions to address, its Friday expanded disclosure provided a glimmer of further technical information and indicators of breach that incident responders can investigate to see if their networks were targeted. It’s unlikely that Microsoft will be able to end the probe very soon, whether or not it has the answers available.