Chinese Cyberspies Used Forged Authentication Tokens to Hack Government Emails
Microsoft prevented a Storm-0558 attack on customer emails from China. Storm-0558 targets Western European governments for espionage, data theft, and credential access. Microsoft investigated anomalous mail activity on June 16, 2023, based on customer reports.
Over the next few weeks, Microsoft investigation revealed that Storm-0558 gained access to email accounts affecting approximately 25 public cloud organisations, including government agencies, and related consumer accounts of individuals likely associated with these organisations on May 15, 2023.
They accessed user email using forged authentication tokens and an acquired Microsoft account (MSA) consumer signing key. Microsoft mitigated this attack for all customers.
Telemetry shows we blocked Storm-0558 from accessing customer email using forged authentication tokens. No customer action is needed. Microsoft has directly contacted all targeted or compromised organisations via their tenant admins and provided them with vital information to investigate and respond to nation-state actor activity. We collaborate with these groups. Our investigations show you were not affected if you were not contacted.
Microsoft is working with DHS CISA and others to help affected customers. We're investigating Storm-0558.
Microsoft found that Storm-0558 forged authentication tokens to access customer email accounts using Outlook Web Access in Exchange Online (OWA) and Outlook.com.
OWA and Outlook.com tokens were forged using an acquired MSA key. MSA (consumer) and Azure AD (enterprise) keys are issued and managed by separate systems and should only work for their respective systems. The actor impersonated Azure AD users to access enterprise mail. This actor did not use Azure AD or other MSA keys. The actor has only used MSA key-forged tokens on OWA and Outlook.com.
Microsoft Threat Intelligence moderately believes Storm-0558 is a China-based threat actor with espionage goals. Storm-0558 is a distinct Chinese group, despite some minor overlaps with Violet Typhoon (ZIRCONIUM, APT31).
Microsoft has observed Storm-0558 targeting US and European diplomatic, economic, and legislative bodies and individuals with Taiwan and Uyghur geopolitical interests.
This threat actor has targeted media, think tanks, and telecommunications equipment and service providers. Storm-0558 campaigns typically target employee email accounts. Storm-0558 does this through credential harvesting, phishing, and OAuth token attacks. Since August 2021, this threat actor has targeted Microsoft accounts with OAuth applications, token theft, and token replay. Storm-0558 is well-trained and secure. The actors understand the target's environment, logging, authentication, policies, and procedures. Storm-0558's tooling and reconnaissance suggest the actor is technically skilled, well-resourced, and knowledgeable about many authentication methods and applications.
Got a news tip for our journalists? Share it with us anonymously here.
Send press releases to newsdesk@redwires.au. Other ways to contact us. Editorially, we may rewrite headlines and descriptions.
Recommend Redwires AU: Accessible News For Young Cybersecurity Aussies
Redwires AU provides Young Australians with easily accessible, curated cybersecurity news.
Before you go..
You can get RedWires AU for free right now. Your donation, no matter how big or small, will help us keep doing honest journalism.
The readers of Redwires AU are the engine that drives our publication. Add your support to the effort to create a sustainable future for journalism that does not make compromises in the AU.
In the world we live in now, accurate and thorough reporting and analysis are becoming more and more critical. To stop the spread of false information, it's essential that everyone in Australia has access to good reporting.
The Redwires AU contributes to society by opening up access to information and resources for all people, rather than just a select few.
Our only goal is to educate the general public more thoroughly. If you believe in what we're trying to accomplish here, please consider making a contribution right away to ensure our success in the years to come.
Upgrade your subscription to get the most out of it. Join the growing number of people around the world who believe in the power of independent media.