CISA scorches Microsoft in Exchange Online hack investigation

China-linked hacking group has ties to 2009 Operation Aurora

Author

Rob Waters
April 06, 2024 • ⏱️ Reading Time: 7 minutes

Welcome to the latest issue of The Breach Report, a cybersecurity newsletter from the creators of the Cybersecurity Careers Blog. Be sure to subscribe via email or RSS.

CISA scorches Microsoft in Exchange Online hack investigation

The Department of Homeland Security (DHS) and the CISA Cyber Safety Review Board (CSRB) released a scathing report against Microsoft yesterday. The independent investigation focused on Microsoft’s failings from the Microsoft Exchange Online hacks in the summer of 2023, attributed to Storm-0558, a China-linked hacking group.

The report from CSRB highlights the level of access China was able to obtain after exploiting multiple vulnerable Microsoft Exchange systems:

In May 2023, a threat actor known as Storm-0558 compromised the Microsoft Exchange Online mailboxes of a broad range of victims in the United States, the United Kingdom, and elsewhere. Storm-0558, assessed by multiple sources to pursue espionage objectives and maintain ties with the People’s Republic of China (PRC), accessed email accounts in the U.S. Department of State, U.S. Department of Commerce, and U.S. House of Representatives. This included the official and personal mailboxes of U.S. Commerce Secretary Gina Raimondo; Congressman Don Bacon; U.S. Ambassador to the PRC, R. Nicholas Burns; Assistant Secretary of State for East Asian and Pacific Affairs, Daniel Kritenbrink; and additional individuals across 22 organizations.

CISA Cyber Safety Review Board (CSRB)

According to the report, Storm-0558 downloaded over 60,000 emails from the State Department alone. Researchers were able to link Storm-0558 members to the 2009 Operation Aurora hacking campaigns, which targeted dozens of private companies, such as Google, Adobe, Juniper, Yahoo, and Northrup Grumman.

While Storm-0558 has overlapping tactics, techniques, and procedures (TTPs) as other Chinese hacking groups (e.g., VIOLET TYPHOON, ZIRCONIUM, and APT-31), Microsoft determines the group operates independently. Storm-0558 has targeted U.S. and European diplomatic, economic, and governing bodies. It also includes Taiwan and Uyghur ethnic groups among its geopolitical targets.

Revisiting the Storm-0558 Exchange Online Hack

Microsoft investigations determined that Storm-0558 accessed customer email accounts using Outlook Web Access in Exchange Online (OWA) and Outlook.com by forging authentication tokens to access user email.

Further research by Microsoft confirmed that Storm-0558 used an acquired MSA key to forge tokens to access OWA and Outlook.com MSA (consumer) keys. Azure AD (enterprise) keys are issued and managed from separate systems and should only be valid for their respective systems.

Storm-0558 then exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail.

The breaches were so publicly embarrassing that U.S. Senator Ron Wyden (D-OR) sent a letter to Microsoft CEO Satya Nadella proclaiming that the company was “responsible” for the breach and should be “held accountable.”

Latest Cybersecurity News

What we’re reading across the wire about the latest cybersecurity hacks, breaches, industry news, and more.

New from our favorite blogs and journalists:

Cybersecurity Job Openings

Are you looking for a new job or trying to get started in cybersecurity? We’ll post notable new openings across the industry here.

Google / Mandiant

Google and Mandiant (Google acquired Mandiant in September 2022) are aggressively hiring for numerous cybersecurity roles across the United States.

For a complete listing of all open cybersecurity roles hiring at Google + Mandiant, visit careers.google.com.

How did you like this issue of The Breach Report?

Login or Subscribe to participate in polls.

Until next time…

Rob Waters
Founder, The Breach Report + Cybersecurity Careers Blog

Join the conversation

or to participate.