In a recent blog post, Microsoft revealed a concerning security breach orchestrated by Chinese hackers. The hackers managed to gain access to one of Microsoft’s digital keys, exploiting a flaw in the company’s code to steal emails from various entities, including U.S. government agencies. The attack was carried out by using the stolen signing key to forge authentication tokens, allowing the hackers to access inboxes as if they were legitimate users.
According to Microsoft and U.S. officials, this covert operation by Chinese state-linked hackers had been ongoing since May, affecting around 25 organizations, including at least two government agencies: the State and Commerce Departments. Microsoft attributed the month-long cyberactivity to a newly identified espionage group named Storm-0558, with strong ties to China.
As the investigation continues, Microsoft remains puzzled as to how the hackers acquired their signing key, which was misused to forge authentication tokens for unauthorized inbox access. Targets of the attack include prominent figures like U.S. Commerce Secretary Gina Raimondo, U.S. State Department officials, and other undisclosed organizations.
In its blog post, Microsoft clarified that the hackers obtained a consumer signing key, known as an MSA key, originally used to secure consumer email accounts like Outlook.com. However, the hackers ingeniously used this key to forge tokens for breaking into enterprise inboxes, taking advantage of a “validation error in Microsoft code.”
Although Microsoft claims to have blocked all malicious activity related to this breach, the method through which the hackers obtained their hands on the company’s signing key remains unclear. The tech giant has now fortified its key issuance systems to prevent a recurrence of this kind of security breach.
One fortunate mistake made by the hackers was their use of the same key for multiple inbox raids. This allowed investigators to trace and identify all unauthorized access requests across both Microsoft’s enterprise and consumer systems, enabling them to notify those affected and gain a better understanding of the extent of the breach.
