Emails of U.S. government agencies compromised in cyber attack attributed to China

In mid-June 2023, a U.S. Federal Civilian Executive Branch (FCEB) agency detected unusual email activity, which subsequently prompted Microsoft to uncover a new espionage campaign originating from China. The campaign specifically targeted approximately two dozen organizations.

CNN and the Washington Post have reported that the government agency involved in the cyber attack, although not explicitly named, is believed to be the U.S. State Department, as stated by sources familiar with the incident. Additionally, the Commerce Department, along with the email accounts of a congressional staffer, a U.S. human rights advocate, and several U.S. think tanks, were also targeted. The total count of affected organizations in the United States is estimated to be less than ten.

The disclosure follows Microsoft's attribution of the campaign to an emerging "China-based threat actor" named Storm-0558. This threat actor primarily targets government agencies in Western Europe, focusing on espionage and data theft. Evidence indicates that the malicious activity began a month before detection.

However, China has denied involvement in the hacking incident, accusing the U.S. of being the "world's biggest hacking empire and global cyber thief." China has called for the U.S. to clarify its cyber attack activities and cease spreading disinformation to divert public attention.

The attack involved the use of forged authentication tokens by the cyberspies, granting them access to customer email accounts via Outlook Web Access in Exchange Online (OWA) and Outlook.com. These tokens were created using a Microsoft account (MSA) consumer signing key that was obtained, although the exact method of acquisition remains unknown.

Storm-0558 utilized two custom malware tools, namely Bling and Cigril, to facilitate credential access. Cigril, described as a trojan, decrypts encrypted files and executes them directly from system memory to evade detection.

The Cybersecurity and Infrastructure Security Agency (CISA) stated that the FCEB agency identified the breach by utilizing advanced logging in Microsoft Purview Audit, specifically by employing the MailItemsAccessed mailbox-auditing action.

To combat similar activities and distinguish them from normal behavior, the agency recommends organizations to enable Purview Audit (Premium) logging, activate Microsoft 365 Unified Audit Logging (UAL), and ensure that operators can search through logs effectively. These measures will aid in detecting and investigating such activities within the environment.