China Breaches Microsoft Cloud — Spied on US Govt. Email

PRC flagMultiple Microsoft failures cause data leaks at State and Commerce depts., plus 23 other orgs.

Microsoft’s SaaS email system got hacked two months ago. Redmond’s only telling us now, in part because it only found out a month later—when they were told about it by the State Department.

The government is greatly displeased. Even U.S. spokespeople aren’t holding back. In today’s SB Blogwatch, we get that special déjà vu feeling again.

AWS Builder Community Hub

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: The “space age” RCA 501.

Storm-0558 Brewing

What’s the craic? Ellen Nakashima, Joseph Menn, Shane Harris and Caroline O’Donovan report—“Chinese hackers breach email of Commerce … and State Department”:

Hard questions
Chinese cyberspies, exploiting a fundamental gap in Microsoft’s cloud, hacked email accounts at the Commerce and State departments — including that of Commerce Secretary Gina Raimondo, whose agency has imposed stiff export controls on Chinese technologies. … The Microsoft vulnerability was discovered last month by the State Department. … About 25 organizations worldwide were hacked.

The hackers, looking for information useful to the Chinese government, had access to the email accounts for about a month. … National Security Council spokesman Adam Hodges said, … “Officials immediately contacted Microsoft to find the … vulnerability in their cloud service. We continue to hold the procurement providers of the U.S. government to a high security threshold.”

U.S. officials said they were investigating how the signing keys were obtained from Microsoft. … “There are some hard questions they have to answer,” …  said [Hodges].

Adding context, it’s Sergiu Gatlan—“Chinese hackers breached US govt”:

Exploited an unpatched Office zero-day
The attacks have been pinned on a threat group tracked as Storm-0558, believed to be a cyber-espionage outfit focused on collecting sensitive information by breaching email systems. … Starting from May 15 … threat actors managed to access Outlook accounts belonging to roughly 25 organizations … and some consumer accounts likely connected to them.

Microsoft also revealed that the RomCom Russian-based cybercriminal group exploited an unpatched Office zero-day in recent spear-phishing attacks targeting organizations attending the NATO Summit in Vilnius, Lithuania.

Horse’s mouth? Charlie Bell pours sauce for the goose—“China-Based Threat Actor Activity”:

To benefit the industry
Microsoft and others in the industry have called for transparency when it comes to cyber incidents so that we can learn and get better. … The growing challenges we face only reinforce our commitment to greater information sharing and industry partnership.

Today, we are publishing details … of the incident and threat actor to benefit the industry. … Accountability starts right here at Microsoft.

You might not know that your humble blogwatcher used to work in PR (don’t hate me—I drew the short straw). So here’s a translation of the Microsoft report:

Microsoft has mitigated an attack by a China-based threat actor.
We totally ****ed up, but we’re gonna present this as a win. Also: CHINA.

Based on customer reported information on June 16, 2023.
Our really impressive-looking SOC totally failed to notice. We didn’t know until the feds told us.

They did this by using forged authentication tokens to access user email.
Our authentication code is really buggy.

MSA (consumer) keys and Azure AD (enterprise) keys are issued and managed from separate systems and should only be valid for their respective systems.
Our authentication code is really buggy.

The actor exploited a token validation issue.
Did I mention our really buggy authentication code?

We have continuously improved the security of the MSA key management systems since the acquired MSA key was issued …
We closed the stable door after the horse bolted …
… as part of defense in depth …
… in a fully buzzword compliant manner …
… to ensure the safety and security of consumer keys.
… so kudos to us for making our authentication code slightly less buggy, amirite?

Too harsh? jsnell’s instincts seem similar to mine:

This seems to be written mainly for ass-covering.

Is this saying that the attackers got Microsoft’s … private key? I don’t know how else to interpret it, but “acquiring” sure ain’t the language you use for that level of breach. And how was the key “acquired”? From a security vulnerability in their production systems? Breach of their corp network?

So not only did they leak the private key, but their validation code was also broken and checked the signatures against the wrong key? How does that even happen?

And Abominator absolutely agrees:

This is Microsoft. It’s always going to be shoddy code.

Just look at the bloat that is Teams: Their modern, cutting edge messaging app.

Meanwhile, a rather less wordy reaction from r1348 refers to the U.S. Joint Enterprise Defense Infrastructure contract:

Lol. And you wanted to award JEDI to these ***hats?

And Finally:


Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Alejandro Luengo (via Unsplash; leveled and cropped)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 492 posts and counting.See all posts by richi