Foreign state-sponsored actors likely had access to privileged state emails for weeks, thanks to a token validation vulnerability.
July 12, 2023
This spring, a Chinese threat actor had access to email accounts across 25 government agencies in Western Europe and the US, including the State Department.
On July 11, Microsoft reported having quelled a cyberespionage campaign carried out by the group it tracks as "Storm-0558." Storm-0558 is based in China and appears focused on espionage, primarily against Western government organizations.
Anonymous sources told CNN that the campaign affected the US State Department, as well as an entity on Capitol Hill (but whether the attackers were successful against the latter is less clear). The hackers honed in on "just a handful of officials' email accounts at each agency in a hack aimed at specific officials," CNN reported. It's unclear what kind of sensitive information the adversaries were able to gain access to.
According to Microsoft's profile of Storm-0558, it's also known for its two custom malwares — Bling, and Cigril, a Trojan that encrypts files and runs them directly from system memory in order to evade detection.
In this instance, the group was able to forge authentication tokens to masquerade as authorized Azure Active Directory (AD) users, obtaining access to enterprise email accounts and the potentially sensitive information contained within.
"Chinese cyber espionage has come a long way from the smash-and-grab tactics many of us are familiar with," said John Hultquist, Mandiant chief analyst with Google Cloud, in a written statement sent to Dark Reading. "They have transformed their capability from one that was dominated by broad, loud campaigns that were far easier to detect. They were brash before, but now they are clearly focused on stealth."
Microsoft was first tipped off to anomalous mail activity on June 16. After some investigating, it became clear that a wider cyber espionage campaign was underway, and that it dated back at least a month, to May 15.
Storm-0558's espionage was enabled by stolen Managed Service Account (MSA) consumer signing keys, and a validation issue that allowed the group to forge authentication tokens, impersonating legitimate Azure AD users in order to access email accounts using Outlook.com and the Outlook Web Access client in Exchange Online.
Microsoft has since remediated the MSA key issue, blocking any further threat actor activity.
In all, the APT appears to have compromised 25 government agencies primarily in Western Europe, as well as personal accounts from individuals related to those agencies. As Charlie Bell, executive vice president of Microsoft Security noted in a blog post: "These well-resourced adversaries draw no distinction between trying to compromise business or personal accounts associated with targeted organizations, since it only takes one successfully compromised account login to gain persistent access, exfiltrate information and achieve espionage objectives."
Microsoft has since contacted all known victims, it said, and noted that no further action from customers is required.
This latest novel approach to breaking sensitive systems belonging to privileged organizations is just the latest evidence that Chinese threat actors are upgrading their tradecraft. "The reality is that we are facing a more sophisticated adversary than ever, and we'll have to work much harder to keep up with them," Hultquist writes.
Microsoft declined a request to comment on this story.
Nate Nelson, Contributing Writer
Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" — an award-winning Top 20 tech podcast on Apple and Spotify — and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.
You May Also Like
Key Findings from the State of AppSec Report 2024
Is AI Identifying Threats to Your Network?
Where and Why Threat Intelligence Makes Sense for Your Enterprise Security Strategy
Safeguarding Political Campaigns: Defending Against Mass Phishing Attacks
Why Effective Asset Management is Critical to Enterprise Cybersecurity
Black Hat USA – August 3-8 – Learn More
Cybersecurity’s Hottest New Technologies: What You Need To Know
Industrial Networks in the Age of Digitalization
Zero-Trust Adoption Driven by Data Protection
How Enterprises Assess Their Cyber-Risk
The Foundation for Building Scalable Applications to Fuel Customer Satisfaction and Growth
Defending Against Critical Threats
Cisco Panoptica for Simplified Cloud-Native Application Security
A Short Primer on Container Scanning
The Cloud Threat Landscape: Security learnings from analyzing 500+ cloud environments
Making Sense of Your Security Data: The 6 Hardest Problems
Use the 2023 MITRE ATT&CK Evaluation Results for Turla to Inform EDR Buying Decisions
Black Hat USA – August 3-8 – Learn More
Cybersecurity’s Hottest New Technologies: What You Need To Know
Copyright © 2024 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.
Leave a Reply