Several U.S. government agencies are tied up in a cyberattack by a China-based threat group that accessed unclassified email data of more than two dozen organizations globally. The attackers used forged authentication tokens to access victims’ emails for a month with an acquired Microsoft account consumer signing key.
According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the campaign was first discovered in June after a federal agency identified suspicious activity in their Microsoft 365 cloud environment via the audit logs and reported it to Microsoft and CISA. Within the MailItemsAccessed event, which is generated when licensed users access items in Exchange Online mailboxes using connectivity protocols from clients, the agency observed AppID, which did not normally access mailbox items in their environment.
“Microsoft determined that APT actors accessed and exfiltrated unclassified Exchange Online Outlook data from a small number of accounts,” according to CISA on Wednesday. “The APT actors used a Microsoft account (MSA) consumer key to forge tokens to impersonate consumer and enterprise users. Microsoft remediated the issue by first blocking tokens issued with the acquired key and then replacing the key to prevent continued misuse.”
While Microsoft began its investigation into the attacks June 16, threat actors had compromised email accounts starting on May 15. Microsoft tied the attacks to Storm-0558 (with “Storm” being part of the company’s new designation for a new or emerging threat group), an adversary based in China. Storm-0558 mostly targets government agencies in Western Europe and is focused on espionage, data theft and credential access, said Microsoft.
“We assess this adversary is focused on espionage, such as gaining access to email systems for intelligence collection,” according to Microsoft. “This type of espionage-motivated adversary seeks to abuse credentials and gain access to data residing in sensitive systems.”