Chinese hackers have recently breached the email accounts of a US Federal Civilian Executive Branch (FCEB) agency, as part of a larger cyberespionage campaign targeting multiple organizations. The attack highlights the pressing need for organizations to enhance their cybersecurity measures. A joint advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) provides crucial recommendations for organizations to bolster their cybersecurity posture.
“In June 2023, a Federal Civilian Executive Branch (FCEB) agency observed unexpected events in Microsoft 365 (M365) audit logs. After reporting the incident to Microsoft, network defenders deemed the activity malicious.” reads the advisory published by US CISA.
Breach and Investigation
In mid-June, an unnamed FCEB agency reported suspicious email activity, prompting an investigation by Microsoft experts. Their findings revealed that threat actors with ties to China had specifically targeted the agency, along with numerous other organizations, in a cyberespionage campaign.
Scope of the Attack
According to reports from the Washington Post, Chinese cyberspies successfully breached the email systems of the U.S. State Department and the Commerce Department. They also targeted a congressional staffer, a U.S. human rights advocate, and U.S. think tanks. The attackers exploited vulnerabilities in Microsoft’s cloud infrastructure to gain unauthorized access.
Mitigation Efforts
Microsoft announced that they have successfully mitigated an attack carried out by a China-linked threat actor known as Storm-0558. This actor primarily targets government agencies in Western Europe and has engaged in cyberespionage, data theft, and credential access attacks. The investigation revealed that the attack had started on May 15, 2023, affecting approximately 25 organizations. Microsoft promptly blocked Storm-0558 from accessing customer emails and has directly informed the targeted organizations to assist with the investigation and response.
“Our telemetry indicates that we have successfully blocked Storm-0558 from accessing customer email using forged authentication tokens. No customer action is required.” reads the post published by Microsoft. “As with any observed nation-state actor activity, Microsoft has contacted all targeted or compromised organizations directly via their tenant admins and provided them with important information to help them investigate and respond.”
Attack Methods
In their research, Microsoft identified that the threat actors gained access to customer email accounts by forging authentication tokens. They exploited a token validation issue in Outlook Web Access (OWA) in Exchange Online and Outlook.com. By utilizing acquired Microsoft account (MSA) consumer signing keys, the attackers were able to impersonate Azure AD users and gain unauthorized access to enterprise mail.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.
