Chinese APT Cracks Microsoft Outlook Emails at 25 Government Agencies

Foreign state-sponsored actors likely had access to privileged state emails for weeks, thanks to a token validation vulnerability.

3 Min Read
photo of a brick and mortar store with "Spy Shop" sign
Source: david pearson via Alamy Stock Photo

This spring, a Chinese threat actor had access to email accounts across 25 government agencies in Western Europe and the US, including the State Department.

On July 11, Microsoft reported having quelled a cyberespionage campaign carried out by the group it tracks as "Storm-0558." Storm-0558 is based in China and appears focused on espionage, primarily against Western government organizations.

Anonymous sources told CNN that the campaign affected the US State Department, as well as an entity on Capitol Hill (but whether the attackers were successful against the latter is less clear). The hackers honed in on "just a handful of officials' email accounts at each agency in a hack aimed at specific officials," CNN reported. It's unclear what kind of sensitive information the adversaries were able to gain access to.

According to Microsoft's profile of Storm-0558, it's also known for its two custom malwares — Bling, and Cigril, a Trojan that encrypts files and runs them directly from system memory in order to evade detection.

In this instance, the group was able to forge authentication tokens to masquerade as authorized Azure Active Directory (AD) users, obtaining access to enterprise email accounts and the potentially sensitive information contained within.

"Chinese cyber espionage has come a long way from the smash-and-grab tactics many of us are familiar with," said John Hultquist, Mandiant chief analyst with Google Cloud, in a written statement sent to Dark Reading. "They have transformed their capability from one that was dominated by broad, loud campaigns that were far easier to detect. They were brash before, but now they are clearly focused on stealth."

What We Know So Far About Chinese Spy Campaign

Microsoft was first tipped off to anomalous mail activity on June 16. After some investigating, it became clear that a wider cyber espionage campaign was underway, and that it dated back at least a month, to May 15.

Storm-0558's espionage was enabled by stolen Managed Service Account (MSA) consumer signing keys, and a validation issue that allowed the group to forge authentication tokens, impersonating legitimate Azure AD users in order to access email accounts using Outlook.com and the Outlook Web Access client in Exchange Online.

Microsoft has since remediated the MSA key issue, blocking any further threat actor activity.

In all, the APT appears to have compromised 25 government agencies primarily in Western Europe, as well as personal accounts from individuals related to those agencies. As Charlie Bell, executive vice president of Microsoft Security noted in a blog post: "These well-resourced adversaries draw no distinction between trying to compromise business or personal accounts associated with targeted organizations, since it only takes one successfully compromised account login to gain persistent access, exfiltrate information and achieve espionage objectives."

Microsoft has since contacted all known victims, it said, and noted that no further action from customers is required.

This latest novel approach to breaking sensitive systems belonging to privileged organizations is just the latest evidence that Chinese threat actors are upgrading their tradecraft. "The reality is that we are facing a more sophisticated adversary than ever, and we'll have to work much harder to keep up with them," Hultquist writes.

Microsoft declined a request to comment on this story.

About the Author

Nate Nelson, Contributing Writer

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights