Date: July 12, 2023 | Threat Intel / Cyber Espionage
On Tuesday, Microsoft declared that it had successfully thwarted a cyber espionage attempt led by a Chinese nation-state actor. This operation targeted two dozen entities, including several government agencies, with the intent to seize sensitive data.
Starting on May 15, 2023, the cyber assault began with gaining access to email accounts across nearly 25 organizations and a handful of individual consumer accounts.
The tech powerhouse linked this operation to Storm-0558, a state-sponsored Chinese group known for its focus on Western European government agencies.
Microsoft stated, “Storm-0558’s operations primarily aim at espionage, data theft, and obtaining credentials. They are also notorious for utilizing custom malware known as Cigril and Bling for accessing credentials.”
This breach was identified a month later on June 16, 2023, when an unnamed customer alerted Microsoft about suspicious email activities.
While Microsoft did not disclose the names of the targeted or compromised organizations and the possible number of hacked accounts, they have informed all affected parties through their tenant admins. The Washington Post reported that several non-confidential U.S. email accounts were also breached in the attack.
The perpetrators gained access to customer email accounts via Outlook Web Access (OWA) in Exchange Online and Outlook.com by counterfeiting authentication tokens.
Microsoft elaborated, “The attackers used an acquired MSA key to forge tokens to access OWA and Outlook.com. MSA (consumer) keys and Azure AD (enterprise) keys are supposed to be valid only for their respective systems.”
The culprits managed to exploit a token validation issue to pose as Azure AD users, thereby accessing enterprise mail.
Microsoft found no evidence of the attacker utilizing Azure AD keys or other MSA keys to execute the attacks. They have blocked the use of tokens signed with the compromised MSA key in OWA to mitigate the impact of the attack.
Charlie Bell, the executive vice president of Microsoft Security, explained, “Adversaries motivated by espionage often aim to misuse credentials and gain access to data stored in sensitive systems.”
This disclosure comes a month after Microsoft reported critical infrastructure attacks led by a Chinese adversary group known as Volt Typhoon (or Bronze Silhouette or Vanguard Panda) targeting the U.S.
Key Points Summarized
- Microsoft blocked a cyber espionage campaign by a Chinese nation-state actor, known as Storm-0558, targeting multiple organizations including government agencies in Western Europe.
- The attack commenced on May 15, 2023, and involved access to about 25 entities’ email accounts, including some individual consumer accounts.
- Storm-0558 is known for espionage, data theft, and credential access, often using custom malware known as Cigril and Bling.
- The breach was detected a month later when an anonymous customer reported suspicious email activity to Microsoft.
- The attackers gained access by counterfeiting authentication tokens on Microsoft’s Outlook Web Access in Exchange Online and Outlook.com.
- Microsoft has blocked the usage of tokens signed with the compromised MSA key in OWA to mitigate the impact.
- This announcement comes a month after Microsoft reported critical infrastructure attacks by another Chinese adversary group called Volt Typhoon.
#cybersecurity, #mssp #cyberattacks