Pierluigi Paganini September 29, 2023

China-linked threat actors stole around 60,000 emails from U.S. State Department after breaching Microsoft’s Exchange email platform in May.

China-linked hackers who breached Microsoft’s email platform in May have stolen tens of thousands of emails from U.S. State Department accounts, a Senate staffer told Reuters this week.

During a briefing by U.S. State Department IT officials, officials told lawmakers that threat actors stole at least 60,000 emails from a 1 total of 10 State Department accounts. The accounts belong to State Department officials who were working in East Asia, the Pacific, and Europe.

“The State Department individuals whose accounts were compromised mostly focused on Indo-Pacific diplomacy efforts, and the hackers also obtained a list containing all of the department’s emails, according to the Wednesday briefing.” reported Reuters.

According to the officials, none of the stolen emails were classified.

“it was approximately 60,000 unclassified emails that were exfiltrated as a part of that breach. No, classified systems were not hacked. These only related to the unclassified system” State Department spokesman Matthew Miller told reporters. “We have not made an attribution at this point, but, as I said before, we have no reason to doubt the attribution that Microsoft has made publicly. Again this was a hack of Microsoft systems that the State Department uncovered and notified Microsoft about.”

In July, Microsoft announced it had mitigated an attack conducted by a China-linked threat actor, tracked as Storm-0558, which targeted customer emails.

Storm-0558 threat actors focus on government agencies in Western Europe and were observed conducting cyberespionage, data theft, and credential access attacks. The attack was reported by a customer on June 16, 2023. The investigation revealed that the attack began on May 15, 2023, when Storm-0558 gained access to email accounts affecting approximately 25 organizations, including government agencies as well as related consumer accounts of individuals likely associated with these organizations.

The attackers forged authentication tokens to access user email using an acquired Microsoft account (MSA) consumer signing key.

Microsoft researchers discovered that the threat actors gained access to customer email accounts using Outlook Web Access in Exchange Online (OWA) and Outlook.com by forging authentication tokens to access user email.  

The attackers used an acquired MSA key to forge the tokens to access OWA and Outlook.com. The attackers exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail.

In early September, Microsoft shared a comprehensive technical investigation into the way attackers gained access to the Microsoft account consumer signing key.

The company discovered that threat actors stole a signing key used to breach government email accounts from a Windows crash dump after compromising a Microsoft engineer’s corporate account.

Microsoft discovered that the MSA key was accidentally leaked into a crash dump after a consumer signing system crashed in April 2021.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft)