Chinese hackers compromised emails of U.S. Government agencies

Chinese hackers have compromised the emails of an unnamed US Federal Civilian Executive Branch (FCEB) agency.

In Mid-June a malicious email activity was reported by an unnamed US Federal Civilian Executive Branch (FCEB) agency. Microsoft experts who investigated the suspicious activity discovered that China-linked threat actors have targeted the agency as part of a cyberespionage campaign targeting two dozen organizations.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) on July 12, 2023 have published a joint advisory to warn organizations and allow them to enhance organizational cybersecurity posture and position organizations to detect similar malicious activity via implementing the listed logging recommendations.

“In June 2023, a Federal Civilian Executive Branch (FCEB) agency observed unexpected events in Microsoft 365 (M365) audit logs. After reporting the incident to Microsoft, network defenders deemed the activity malicious.” reads the advisory published by US CISA. 

According to the Washington Post, the Chinese cyberspies breached the U.S. State Department email system. The threat actors also targeted the Commerce Department, a congressional staffer, a U.S. human rights advocate, and U.S. think tanks.

“Chinese cyberspies, exploiting a fundamental gap in Microsoft’s cloud, hacked email accounts at the Commerce and State departments, including that of Commerce Secretary Gina Raimondo — whose agency has imposed stiff export controls on Chinese technologies that Beijing has denounced as a malicious attempt to suppress its companies.” reported the Washington Post. “Raimondo is the only known Cabinet-level official to have their account compromised in the targeted cyberespionage campaign, according to U.S. officials familiar with the matter, who spoke on the condition of anonymity due to the matter’s sensitivity.”

US CISA urges organizations to enable audit logging, enable Purview Audit (Premium) logging, ensure logs are searchable by operators, enable Microsoft 365 Unified Audit Logging (UAL), and understand the organization’s cloud baseline.

Microsoft announced this week it has mitigated an attack conducted by a China-linked threat actor, tracked as Storm-0558, which targeted customer emails.

Storm-0558 threat actors focus on government agencies in Western Europe and were observed conducting cyberespionage, data theft, and credential access attacks. The attack was reported by a customer on June 16, 2023. The investigation revealed that the attack began on May 15, 2023, when Storm-0558 gained access to email accounts affecting approximately 25 organizations, including government agencies as well as related consumer accounts of individuals likely associated with these organizations.

The attackers forged authentication tokens to access user email using an acquired Microsoft account (MSA) consumer signing key.

“Our telemetry indicates that we have successfully blocked Storm-0558 from accessing customer email using forged authentication tokens. No customer action is required.” reads the post published by Microsoft. “As with any observed nation-state actor activity, Microsoft has contacted all targeted or compromised organizations directly via their tenant admins and provided them with important information to help them investigate and respond.”

Microsoft researchers discovered that the threat actors gained access to customer email accounts using Outlook Web Access in Exchange Online (OWA) and Outlook.com by forging authentication tokens to access user email.  

The attackers used an acquired MSA key to forge the tokens to access OWA and Outlook.com. The attackers exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail.

China denied any accusation and blames the US of being the most aggressive government in the cyberspace. Below is an abstract from the Foreign Ministry Spokesperson Wang Wenbin’s Regular Press Conference on July 12, 2023:

Bloomberg: Last night or early this morning, Microsoft said it found a China-based group that was targeting government agencies in western Europe. Does China have any comment on this report and have you had any contact with governments in western Europe asking about this?

Wang Wenbin: We noted the reports saying that the spokesman for the White House National Security Council claimed that US officials found hackers linked to China took advantage of a security weakness in Microsoft’s cloud-computing to break into unclassified email accounts of the US, and the US has notified Microsoft about this. I would like to say that in the past, it was usually the world’s No.1 hacking group—the US National Security Agency, which also serves as the US Cyber Force Command, that released such kind of disinformation. This time, it was the US National Security Council that made a public statement. Whatever agency spoke, it does not change the fact that the US is the world’s biggest hacking empire and global cyber thief.

Since last year, cyber security institutions from China and elsewhere in the world have issued reports to reveal US government’s cyber attacks against China over the years, but the US has yet to make a response. It is high time that the US explained its cyber attack activities and stopped spreading disinformation to deflect public attention.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Chinese hackers)