Microsoft’s keys were lost, and the government was hacked – According to reports, Microsoft still doesn’t know — or doesn’t want to reveal — how China-backed hackers obtained a key that allowed them to enter hundreds of email inboxes, including those of multiple federal government institutions.
Microsoft stated in a blog post Friday that it was an “ongoing investigation” into how the hackers gained a Microsoft signature key, which was then used to counterfeit authentication tokens that gave the hackers access to inboxes as if they were the rightful owners. According to reports, targets include US Commerce Secretary Gina Raimondo, US State Department officials, and other organizations that have not yet been publicly identified.
Microsoft revealed the incident on Tuesday, attributing the month-long activity to Storm-0558, a newly found espionage cell with ties to China. The breaches, which began in mid-May, included a limited number of government accounts in the single digits, according to CISA, and the hackers exfiltrated some unclassified email data. While the United States has not publicly identified the hackers, China’s senior foreign ministry spokesperson refuted the allegations on Wednesday.
Whereas China has individually hacked into Microsoft-powered email systems to steal corporate data, this hacking gang went straight to the source by targeting new and unreported weaknesses in Microsoft’s cloud.
According to Microsoft’s blog post, the hackers obtained one of its consumer signing keys, or MSA keys, which the company uses to safeguard consumer email accounts, such as those used to access Outlook.com. Microsoft initially believed the hackers were fabricating authentication tokens, which are used to safeguard corporate and enterprise email accounts, with an acquired enterprise signature key. However, Microsoft discovered that the hackers were forging tokens with that consumer MSA key in order to break into enterprise inboxes. Microsoft explained that this was due to a “validation error in Microsoft code.”
Microsoft stated that it had halted “all actor activity” relating to this issue, implying that the event has concluded and the hackers have lost access. Though it is unknown how Microsoft lost control of its own keys, the corporation has stated that it has strengthened its key issuance processes, presumably to prevent hackers from generating another digital skeleton key.
The hackers made one critical error. Microsoft stated that by using the same key to raid many inboxes, investigators were able to “see all actor access requests that followed this pattern across both our enterprise and consumer systems.” Microsoft, for example, knows who was compromised and has alerted individuals affected.
With the immediate threat assumed to be past, Microsoft is now under fire for its handling of the incident, which is being described as the largest compromise of unclassified government data since the Russian espionage effort that hacked SolarWinds in 2020.
As Ars Technica’s Dan Goodin pointed out, Microsoft went to great measures in its blog post to avoid terminology like “zero-day,” which refers to when a software developer has 0 days’ notice to remedy a vulnerability that has already been exploited. Whether or not the problem or its exploitation meets everyone’s definition of a zero-day, Microsoft went out of its way to avoid calling it that, or even a vulnerability.
A lack of insight into the incursions by government departments themselves exacerbated the key leak and its misuse. Microsoft is also under fire for reserving security logs for government customers with its top-tier package, which may have assisted other incident responders in identifying nefarious activities.
According to CNN, the State Department discovered the vulnerability and reported it to Microsoft. However, not every government agency had the same level of security logging, which was available to departments with higher-paid tier Microsoft accounts but not to others, according to The Wall Street Journal. In a blog post published Monday, Mary Jo Foley, editor in chief of Directions on Microsoft, a consultancy firm for Microsoft customers, stated that the lower government tier provides some logging but “does not keep track of specific mailbox data which would have revealed the attack.” During a conference call with reporters last week, a CISA representative lamented the lack of available logs. According to the Journal, Microsoft is “evaluating feedback.”
Although Microsoft’s expanded disclosure on Friday provided a glimmer of additional technical facts and indicators of penetration that incident responders can use to determine whether their networks were targeted, the technology behemoth still has issues to answer. Whether or if Microsoft knows the answers, it’s unlikely that the probe will be resolved very soon.