The United States and Microsoft are implicating China’s state-backed hacking teams in penetrating US government email accounts, in a campaign that reportedly began in mid-May. Microsoft’s threat research team says that the Chinese hackers breached at least two dozen organizations in total, including multiple federal agencies such as the State Department and the Department of Commerce.
While the Chinese hackers appear to have had broad success, they also appeared to be targeting specific individuals for espionage purposes and the overall total of breached government email accounts was “small.” As has become standard, China has denied the claims and accused the US government of conducting its own aggressive hacking campaigns.
Microsoft: Chinese hackers took “surgical” approach in targeting high-level officials
Microsoft attributes the attack to Chinese hackers based on the origin of the activity and the information that was sought. The hackers were in possession of forged authentication tokens that potentially granted very broad access, but seemed to be used strategically to target a few specific high-level government email accounts at each agency. Commerce Secretary Gina Raimondo was named as one of the parties that had their email account breached, and several unspecified members of the House of Representatives were also targeted.
Government sources said the breach campaign, which remains under investigation, began in mid-May and only impacted unclassified systems. It was reportedly first detected at the State Department on June 16, where IT staff brought in Microsoft’s security team in response.
Microsoft then notified other impacted departments and organizations. None of the sources made note of a particular pattern, but government email accounts in the Department of Commerce may have been targeted by the Chinese hackers due to a recent wave of sanctions directed at both semiconductor producers and chemical companies thought to be involved in fentanyl production.
The attack traces back to a stolen Microsoft account (MSA) consumer signing key, which was used to forge authentication tokens for specific government email accounts of interest to the Chinese hackers. The attacks appear to have been conducted by using Outlook’s web feature (OWA) and Outlook.com to access email. Microsoft has blocked the forged tokens and replaced the MSA key, neutralizing any further attacker activity.
The Chinese hackers were able to operate undetected for about a month, however, and there are indications that they exfiltrated some amount of Exchange Online data during that time. Part of the issue may have been the fact that it took an advanced data-logging feature to notice their activities, something that is only available as part of a paid premium subscription from Microsoft that not all federal agencies are provided with.
Joseph Carson, chief security scientist and Advisory CISO at Delinea, notes that while Microsoft does charge a premium for some of these added services they can be well worth the money for highly targeted organizations: “Microsoft has really become one of the world’s leading security vendors and has taken swift action to stop these attackers in their tracks before any serious damage could have been done. It is great to see the organization taking responsibility and being transparent into the incident to ensure that security professionals are aware and can be ready to respond when needed. While most cyber-attacks are conducted by cybercriminals who are financially motivated, we must remember that espionage, data theft, and credential access continue to be a top target by nation-state backed attackers as well.”
“The reminder here is to always assume breach and that an attacker could be active on your network and resources. Therefore, we recommend that organizations periodically check for abnormal credential and identity activity on their networks, rotate credentials periodically and implement strong privileged access security controls that prevents lateral moves,” added Carson.
Willy Leichter, VP of Cyware, notes that there is still room for improvement even with these leading cybersecurity services: “Attacks like this will continue to grow in frequency, as vulnerabilities are inevitable, and many well-funded hacking groups are always looking to exploit them. The critical test is how quickly organizations like Microsoft react and take definitive action to stop the spread. In this case, 3+ weeks from the problem being reported to being fixed is well above industry average, but still leaves a large window of exposure. But compared to SolarWinds (which was exploited for months), we’re making progress.”
Impact to federal government email accounts still not fully known
Microsoft has put the finger on “Storm-0558,” a hacking group that has now been active for some time and previously specialized in attacking targets in Western Europe. A recent report from Microsoft assesses with “moderate confidence” that this is a group of Chinese hackers due to its working hours, methods and associations with another known Chinese state-sponsored group (Zirconium). The group has a particular interest in Taiwan’s affairs, and anything to do with the Uyghurs. It has an established pattern of targeting high-value corporate or government email accounts in a manner similar to this recent attack, and has employed phishing in other incidents in addition to token forgery.
While Russia has typically attracted the most attention as a US hacking adversary, best typified by the SolarWinds SUNBURST cyber attacks and its repeated incursions into electrical grid systems, US officials note that China is now regarded as the most technically advanced adversary and that no other rival nation puts nearly as much money or staff into its hacking programs. While Russia has racked up more recent large-scale data breaches, China has a long record in this area as well. Chinese hackers have been linked to the 2015 theft of records from the Office of Personnel Management, and four members of the People’s Liberation Army were also indicted in connection with the 2017 breach of Equifax.
It’s generally a safe assumption that any attacker employing an approach that requires substantial funding and that focuses on long-term espionage over an attempt to immediately make money is a state-backed actor of some sort.
Zane Bond, Head of Product at Keeper Security, notes that these groups also often collect and sit on novel “zero day” vulnerabilities for this purpose: “A state-sponsored attack on government agencies is of grave concern. A threat actor gaining access to emails poses a serious threat to any victim organization with potential impacts to national security due to Microsoft’s assessment that the adversary was focused on espionage. Nation state adversaries are well-resourced and particularly difficult to defend against. They can utilize an undiscovered zero-day vulnerability to attack, but this comes with risks, as these types of attacks can be quite noisy, are highly visible and easy for victims to triage. From a technical perspective, this attack highlights an unexpected advantage of cloud providers that also provide security. Because this attack targeted the cloud, as opposed to individual customers, Microsoft was able to immediately patch and resolve this issue for all of its Azure customers globally.”
Erich Kron, Security Awareness Advocate at KnowBe4, sees this incident as a reminder to lock down all government email accounts with multi-factor authentication, particularly if they are used as a means of password recovery for other types of accounts: “Controlling access to legitimate email accounts is one of the more dangerous tools that bad actors can have in their toolbox. Not only do many of us use our email accounts to reset passwords, potentially to platforms these bad actors would like to access, but there are also conversations that have taken place that can be used to attempt to steal information or take actions. It’s not unusual to see a bad actor restart an email thread, or take an active role in email discussions through the compromised account, using the trust built through previous interactions to victimize people.”
“Email is also the source of a lot of potentially sensitive information that is shared within an organization. People tend to trust internal organizationally managed email systems to have conversations about sensitive topics, something that they would not do using a commercial email platform such as Gmail or Hotmail,” added Kron. “Generally speaking, it is a good idea to enable multi-factor authentication on email accounts to help protect against account takeover through stolen credentials or easily guessed passwords. In this case, because they are using forged tokens, protections may be limited by MFA. It is very important that users report potential email oddities, such as receiving a notification of an e-mail received, but having it missing from the inbox, as that may be a sign of a bad actor communicating with someone else, then trying to cover their tracks.”