Chinese government-affiliated hackers Storm-0558 stole 60,000 U.S. government emails in May. They could do this through Exchange.
In their hacking attack, the Chinese state hackers managed to target Microsoft Outlook and gain access to the email accounts of U.S. diplomats in East Asia, the Pacific and Europe, Reuters writes. In addition to the 60,000 unclassified emails, the Storm-0558 hackers also got their hands on a list of all U.S. State Department email accounts.
The State Department has since confirmed the attack and email theft.
Method of attack
The attackers managed to get the emails through an attack on Microsoft Outlook. In May of this year, the tech giant announced that unknown hackers compromised Outlook accounts of 25 different organizations, including U.S. government departments and consumer accounts related to them.
The Storm-0558 hackers first obtained a consumer signing key from a Windows crash dump to do so. This crash dump was stolen after a Microsoft employee’s business account was hacked. This eventually gave them access to U.S. government email accounts.
The stolen MSA key was used to compromise Exchange Online and AD accounts by exploiting an unpatched zero-day validation vulnerability in the GetAccessTokenForResourceAPI. This allowed the hackers to generate fake signed access tokens and use them to impersonate accounts within the targets.
Microsoft’s response
Microsoft has retracted the stolen signing key in response. The tech giant has also concluded that no unauthorized access to customer accounts occurred via access token forgery.
Furthermore, the tech giant now allows more free access to cloud logging data. This helps security experts to identify potential breaches involving (forged) access tokens.
Read more: Chinese email hack only detectable with most expensive Microsoft subscription