• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

CISA released Thorium platform to support malware and forensic analysis

 | 

Russia-linked APT Secret Blizzard targets foreign embassies in Moscow with ApolloShadow malware

 | 

Dahua Camera flaws allow remote hacking. Update firmware now

 | 

Researchers released a decryptor for the FunkSec ransomware

 | 

Apple fixed a zero-day exploited in attacks against Google Chrome users

 | 

PyPI maintainers alert users to email verification phishing attack

 | 

FBI seizes 20 BTC from Chaos Ransomware affiliate targeting Texas firms

 | 

Critical SAP flaw exploited to launch Auto-Color Malware attack on U.S. company

 | 

Orange reports major cyberattack, warns of service disruptions

 | 

Hackers leak images and comments from women dating safety app Tea

 | 

Pro-Ukraine hacktivists claim cyberattack on Russian Airline Aeroflot that caused the cancellation of +100 flights

 | 

Seychelles Commercial Bank Reported Cybersecurity Incident

 | 

Microsoft uncovers macOS flaw allowing bypass TCC protections and exposing sensitive data

 | 

U.S. CISA adds Cisco ISE and PaperCut NG/MF flaws to its Known Exploited Vulnerabilities catalog

 | 

Critical WordPress Post SMTP plugin flaw exposes 200K+ sites to full takeover

 | 

Scattered Spider targets VMware ESXi in using social engineering

 | 

China-linked group Fire Ant exploits VMware and F5 flaws since early 2025

 | 

Allianz Life data breach exposed the data of most of its 1.4M customers

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 55

 | 

Security Affairs newsletter Round 534 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber warfare
  • Intelligence
  • Security
  • Chinese hackers compromised emails of U.S. Government agencies

Chinese hackers compromised emails of U.S. Government agencies

Pierluigi Paganini July 13, 2023

Chinese hackers have compromised the emails of an unnamed US Federal Civilian Executive Branch (FCEB) agency.

In Mid-June a malicious email activity was reported by an unnamed US Federal Civilian Executive Branch (FCEB) agency. Microsoft experts who investigated the suspicious activity discovered that China-linked threat actors have targeted the agency as part of a cyberespionage campaign targeting two dozen organizations.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) on July 12, 2023 have published a joint advisory to warn organizations and allow them to enhance organizational cybersecurity posture and position organizations to detect similar malicious activity via implementing the listed logging recommendations.

“In June 2023, a Federal Civilian Executive Branch (FCEB) agency observed unexpected events in Microsoft 365 (M365) audit logs. After reporting the incident to Microsoft, network defenders deemed the activity malicious.” reads the advisory published by US CISA. 

According to the Washington Post, the Chinese cyberspies breached the U.S. State Department email system. The threat actors also targeted the Commerce Department, a congressional staffer, a U.S. human rights advocate, and U.S. think tanks.

“Chinese cyberspies, exploiting a fundamental gap in Microsoft’s cloud, hacked email accounts at the Commerce and State departments, including that of Commerce Secretary Gina Raimondo — whose agency has imposed stiff export controls on Chinese technologies that Beijing has denounced as a malicious attempt to suppress its companies.” reported the Washington Post. “Raimondo is the only known Cabinet-level official to have their account compromised in the targeted cyberespionage campaign, according to U.S. officials familiar with the matter, who spoke on the condition of anonymity due to the matter’s sensitivity.”

US CISA urges organizations to enable audit logging, enable Purview Audit (Premium) logging, ensure logs are searchable by operators, enable Microsoft 365 Unified Audit Logging (UAL), and understand the organization’s cloud baseline.

Microsoft announced this week it has mitigated an attack conducted by a China-linked threat actor, tracked as Storm-0558, which targeted customer emails.

Storm-0558 threat actors focus on government agencies in Western Europe and were observed conducting cyberespionage, data theft, and credential access attacks. The attack was reported by a customer on June 16, 2023. The investigation revealed that the attack began on May 15, 2023, when Storm-0558 gained access to email accounts affecting approximately 25 organizations, including government agencies as well as related consumer accounts of individuals likely associated with these organizations.

The attackers forged authentication tokens to access user email using an acquired Microsoft account (MSA) consumer signing key.

“Our telemetry indicates that we have successfully blocked Storm-0558 from accessing customer email using forged authentication tokens. No customer action is required.” reads the post published by Microsoft. “As with any observed nation-state actor activity, Microsoft has contacted all targeted or compromised organizations directly via their tenant admins and provided them with important information to help them investigate and respond.”

Microsoft researchers discovered that the threat actors gained access to customer email accounts using Outlook Web Access in Exchange Online (OWA) and Outlook.com by forging authentication tokens to access user email.  

The attackers used an acquired MSA key to forge the tokens to access OWA and Outlook.com. The attackers exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail.

China denied any accusation and blames the US of being the most aggressive government in the cyberspace. Below is an abstract from the Foreign Ministry Spokesperson Wang Wenbin’s Regular Press Conference on July 12, 2023:

Bloomberg: Last night or early this morning, Microsoft said it found a China-based group that was targeting government agencies in western Europe. Does China have any comment on this report and have you had any contact with governments in western Europe asking about this?
Wang Wenbin: We noted the reports saying that the spokesman for the White House National Security Council claimed that US officials found hackers linked to China took advantage of a security weakness in Microsoft’s cloud-computing to break into unclassified email accounts of the US, and the US has notified Microsoft about this. I would like to say that in the past, it was usually the world’s No.1 hacking group—the US National Security Agency, which also serves as the US Cyber Force Command, that released such kind of disinformation. This time, it was the US National Security Council that made a public statement. Whatever agency spoke, it does not change the fact that the US is the world’s biggest hacking empire and global cyber thief.
Since last year, cyber security institutions from China and elsewhere in the world have issued reports to reveal US government’s cyber attacks against China over the years, but the US has yet to make a response. It is high time that the US explained its cyber attack activities and stopped spreading disinformation to deflect public attention.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Chinese hackers)


facebook linkedin twitter

China Cyberespionage Hacking hacking news information security news Intelligence IT Information Security Pierluigi Paganini Security Affairs Security News

you might also like

Pierluigi Paganini August 01, 2025
CISA released Thorium platform to support malware and forensic analysis
Read more
Pierluigi Paganini July 31, 2025
Russia-linked APT Secret Blizzard targets foreign embassies in Moscow with ApolloShadow malware
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    CISA released Thorium platform to support malware and forensic analysis

    Cyber Crime / August 01, 2025

    Russia-linked APT Secret Blizzard targets foreign embassies in Moscow with ApolloShadow malware

    APT / July 31, 2025

    Dahua Camera flaws allow remote hacking. Update firmware now

    Hacking / July 31, 2025

    Researchers released a decryptor for the FunkSec ransomware

    Malware / July 31, 2025

    Apple fixed a zero-day exploited in attacks against Google Chrome users

    Security / July 30, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT