Foreign state-sponsored actors likely had access to privileged state emails for weeks, thanks to a token validation vulnerability.
July 12, 2023
This spring, a Chinese threat actor had access to email accounts across 25 government agencies in Western Europe and the US, including the State Department.
On July 11, Microsoft reported having quelled a cyberespionage campaign carried out by the group it tracks as "Storm-0558." Storm-0558 is based in China and appears focused on espionage, primarily against Western government organizations.
Anonymous sources told CNN that the campaign affected the US State Department, as well as an entity on Capitol Hill (but whether the attackers were successful against the latter is less clear). The hackers honed in on "just a handful of officials' email accounts at each agency in a hack aimed at specific officials," CNN reported. It's unclear what kind of sensitive information the adversaries were able to gain access to.
According to Microsoft's profile of Storm-0558, it's also known for its two custom malwares — Bling, and Cigril, a Trojan that encrypts files and runs them directly from system memory in order to evade detection.
In this instance, the group was able to forge authentication tokens to masquerade as authorized Azure Active Directory (AD) users, obtaining access to enterprise email accounts and the potentially sensitive information contained within.
"Chinese cyber espionage has come a long way from the smash-and-grab tactics many of us are familiar with," said John Hultquist, Mandiant chief analyst with Google Cloud, in a written statement sent to Dark Reading. "They have transformed their capability from one that was dominated by broad, loud campaigns that were far easier to detect. They were brash before, but now they are clearly focused on stealth."
Microsoft was first tipped off to anomalous mail activity on June 16. After some investigating, it became clear that a wider cyber espionage campaign was underway, and that it dated back at least a month, to May 15.
Storm-0558's espionage was enabled by stolen Managed Service Account (MSA) consumer signing keys, and a validation issue that allowed the group to forge authentication tokens, impersonating legitimate Azure AD users in order to access email accounts using Outlook.com and the Outlook Web Access client in Exchange Online.
Microsoft has since remediated the MSA key issue, blocking any further threat actor activity.
In all, the APT appears to have compromised 25 government agencies primarily in Western Europe, as well as personal accounts from individuals related to those agencies. As Charlie Bell, executive vice president of Microsoft Security noted in a blog post: "These well-resourced adversaries draw no distinction between trying to compromise business or personal accounts associated with targeted organizations, since it only takes one successfully compromised account login to gain persistent access, exfiltrate information and achieve espionage objectives."
Microsoft has since contacted all known victims, it said, and noted that no further action from customers is required.
This latest novel approach to breaking sensitive systems belonging to privileged organizations is just the latest evidence that Chinese threat actors are upgrading their tradecraft. "The reality is that we are facing a more sophisticated adversary than ever, and we'll have to work much harder to keep up with them," Hultquist writes.
Microsoft declined a request to comment on this story.
Nate Nelson, Contributing Writer
Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" — an award-winning Top 20 tech podcast on Apple and Spotify — and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.
You May Also Like
2024 API Security Trends & Predictions
What’s In Your Cloud?
Everything You Need to Know About DNS Attacks
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Cyber Resiliency 2023: How to Keep IT Operations Running, No Matter What
How to Deploy Zero Trust for Remote Workforce Security
How to Use Threat Intelligence to Mitigate Third-Party Risk
Concerns Mount Over Ransomware, Zero-Day Bugs, and AI-Enabled Malware
Everything You Need to Know About DNS Attacks
Securing the Remote Worker: How to Mitigate Off-Site Cyberattacks
The Burnout Breach: How employee burnout is emerging as the next frontier in cybersecurity
Protecting Critical Infrastructure: The 2021 Energy, Utilities, and Industrials Cyber Threat Landscape Report
Business Buyers Guide to Password Managers
4 Ways XDR Levels Up Security Programs
The Impact of XDR in the Modern SOC
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Cyber Resiliency 2023: How to Keep IT Operations Running, No Matter What
Copyright © 2023 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.
Leave a Reply