Keyboard with red backlight showing Chinese hackers cyber espionage

Cyber Espionage Incident Involving Microsoft Cloud Expands, Chinese Hackers May Have Compromised “Hundreds of Thousands” of Government Email Accounts

A recent cyber espionage campaign by Chinese hackers compromised numerous federal agencies, but was thought to have specifically targeted just a few email accounts at each one.

The assessment of the damage from that campaign has now been revised and greatly expanded, with more senior officials and ambassadors confirmed to have been targeted and potentially “hundreds of thousands” of email accounts breached.

Chinese hackers took US Government by surprise with “stealthy and sophisticated” cyber attack

News of the cyber espionage campaign, which reportedly took place from mid-May to at least mid-June, broke on July 12. At the time the reporting was that quite a few federal agencies had been compromised, but the Chinese hackers were selective about the email accounts they targeted and Commerce Secretary Gina Raimondo was the only high-level official named as a victim.

A recent Wall Street Journal report has updated that account. The report cites sources “familiar with the matter” in claiming that the number of compromised email accounts is in the hundreds of thousands, and that at least two more high-level officials were among those breached by the cyber espionage campaign: assistant secretary of state for East Asia Daniel Daniel Kritenbrink, and Ambassador to China Nicholas Burns.

The cyber espionage campaign began with the Chinese hackers somehow getting their hands on a Microsoft signing key, which was then used to forge authentication tokens to slip into email accounts via Outlook.com and Outlook OWA. At least 25 organizations were thought to be impacted, including an unspecified number of federal agencies. The Commerce and State Departments were confirmed to be hit by the breach.

The attacks do still seem to be highly targeted, with the Chinese hackers most interested in a recent trip to their country that included Secretary of State Antony Blinken and Kritenbrink. Blinken said that the incident is still under investigation. As it usually does, China has denied that it engages in cyber espionage and has accused Washington of similar activities.

Chinese cyber espionage has become a leading US security concern

The new reporting raises fresh questions about the actual total damage done by the cyber espionage campaign, but US officials maintain that only unclassified email accounts were accessed by the Chinese hackers and that there was probably little in the way of useful intelligence in them.

Microsoft named Storm-0558 as the culprits, a known team of Chinese hackers that is believed to be state-sponsored and that has been active for some time primarily targeting government email accounts in countries throughout western Europe. Microsoft bases this assessment on the group’s tactics, targets and seemingly deep pockets for the resources needed to carry out its attacks.

Microsoft said that a “flaw in code” was what led to the theft of the key that enabled the cyber espionage campaign, but cybersecurity professionals have noted that the attack is also something that can readily be spotted if an included Microsoft logging feature is enabled. The trouble is, that feature is only available at a higher paid tier of its Purview Audit service that not all of the government agencies are subscribed to. This immediately led to government calls to make this feature freely available to all customers. Microsoft and CISA have since agreed to an expansion of the company’s cloud logging capability, making it available to a broader range of customers for free in an initiative that will roll out “over the coming months.”

As of late, the US government has put much more focus on Chinese hackers and their innovations in cyber espionage techniques. China now fields dozens of state-sponsored hacking groups, each usually tasked with specific missions and geopolitical areas to focus on, and spends much more money on these efforts than any other country in the world. Leading cyber defense firm Mandiant stated in a May report on a Fortinet breach that China has made vast improvements in its capability since the beginning of 2022, improving far more than any other similar threat actor in the field.

While federal agencies were the central focus of this recent incident, Chinese hackers also frequently sweep private companies into their cyber espionage campaigns. A June report from Mandiant finds that state-sponsored teams working out of the country are likely responsible for hundreds of recent private sector breaches, making use of a vulnerability in the Barracuda Networks Email Security Gateway. Attacks by Chinese spies have struck hotel giant Marriott, major health insurance provider Anthem and prior breaches of Microsoft among others.

Oz Alashe, CEO at CybSafe, notes that large organizations and any that do work with government agencies (both state/local and federal) or critical infrastructure companies should realistically expect to be targeted by advanced nation-state hacking teams at some point: “As global tensions continue and government institutions remain as targets for state-sponsored cyber attacks, it’s essential that leaders prioritise cyber security awareness, hygiene, and behaviours throughout their organisation – from the very top. Implementing basic tick-box security measures isn’t enough anymore, and organisations need to be able to target and improve the specific behaviours that lead to exploitable vulnerabilities.”

“Given the increasing number and complexity of cyber attacks, adopting a comprehensive approach to cyber security that integrates technology and human-centric strategies is essential. People are the first and last line of defence in protecting an organisation’s data, and they should be given the tools to safeguard that data and be part of the solution,” added Alashe.