60,000 State Department Emails Exposed in Microsoft Breach
A recently published report reveals that a highly sophisticated Chinese cyber-espionage operation, targeting Microsoft Outlook accounts, granted Beijing unauthorized access to tens of thousands of confidential US government emails.
According to the report, the Storm-0558 group successfully pilfered 60,000 emails from 10 State Department accounts, with nine of these belonging to individuals involved in East Asia and Pacific diplomatic affairs, as disclosed by a Senate staff member to Reuters. Additionally, the hackers managed to obtain a comprehensive list of all departmental email accounts, according to information shared during a State Department briefing, which the same staff member attended.
Senator Eric Schmitt expressed concerns about the federal government's reliance on a single vendor, emphasizing the need for a thorough examination of this potential vulnerability in an emailed statement to Reuters.
In July, Microsoft made public the revelation of a Chinese cyber-espionage campaign that had successfully compromised a minimum of 25 organizations, including the United States government. Microsoft disclosed that the threat actors had gained unauthorized access to customer email accounts through Outlook Web Access in Exchange Online (OWA) and Outlook.com by manipulating authentication tokens.
Microsoft disclosed that the attackers leveraged an "acquired" Microsoft account MSA key to manipulate tokens, granting them access to OWA and Outlook.com. Furthermore, they exploited a vulnerability in token validation to masquerade as Azure AD users, thereby gaining entry to enterprise email systems.
Recent developments in this incident have unveiled that the threat actors managed to obtain the signing key after initially breaching a Microsoft engineer's account. In April 2021, an unfortunate event unfolded when a system crash led to the key being inadvertently exposed in a data crash dump, which subsequently became accessible via the engineer's account.
Additionally, it was revealed that the Storm-0558 group exploited a zero-day validation flaw within the GetAccessTokenForResourceAPI, enabling them to craft counterfeit access tokens and impersonate accounts within the State Department and other targeted organizations.
For Further Reference