In July, Microsoft reported that a China-based hacking group named Storm-0558 had breached U.S. government-linked email accounts.
The attack affected 25 organizations, including Western European government agencies and email accounts of top American officials.
The breach originated from the compromise of a Microsoft engineer's corporate account, allowing the hackers to extract a cryptographic key used to access email accounts.
Microsoft Threat Intelligence assessed Storm-0558 as a China-based threat actor engaged in espionage activities.
The group operates independently, with working hours consistent with those in China.
Storm-0558 has historically targeted U.S. and European diplomatic, economic, and legislative bodies, as well as individuals associated with Taiwan and Uyghur geopolitical interests.
The group has been targeting Microsoft accounts since August 2021, using phishing campaigns and exploiting vulnerabilities in public-facing applications for initial access.
Breach of Microsoft's Security:
Storm-0558 compromised Microsoft's cloud security systems by acquiring an MSA key, which was used to forge tokens for access to Outlook Web Access (OWA), Microsoft's web-based mail client.
MSA keys are token signing keys used for authentication, and the acquired key was used to impersonate Azure AD users and gain access to enterprise email.
Cryptographic Key Explanation:
A cryptographic key is a character string used in encryption algorithms to encrypt and decrypt data.
It ensures that data is secure and can only be accessed by those with the correct key.
There are two types of encryption: symmetric and asymmetric.
Symmetric encryption uses the same key for both encryption and decryption, while asymmetric encryption uses different keys, with the private key kept secret.
COMMENTS