China-based hackers covertly tapped into email accounts at more than two dozen organizations since May, including two U.S. government agencies, U.S. officials and tech giant Microsoft said in separate reports.
State, Commerce Departments Among 25 Organizations Impacted
The U.S. State and Commerce Departments said in statements that they were among the affected agencies. At this time, it’s unclear other agencies that might have been compromised. Some 25 organizations along with related consumer accounts of individuals associated with the agencies are among those infiltrated by the cyber crew.
The infiltration appears to be a highly targeted spying operation, Microsoft said, and is believed to have lasted about a month. In the ensuing weeks, the government and Microsoft have been scrambling to assess the impact of the attack, CNN reported.
It appears that the cyber perpetrators homed in on email accounts at the House of Representatives, but it was unclear who was targeted and if the breach attempts were successful, CNN reported. The number of affected agencies, while not made public, is said to be “in the single digits.” No estimate of the number of affected individuals has been offered by the government.
The email account of Secretary of Commerce Gina Raimondo was also hacked, the Washington Post reported. Raimondo is the only known Cabinet-level official to have their account breached.
CISA Issues Statement
The Cybersecurity and Infrastructure Security Agency (CISA), the nation’s cyber central, said it first learned of the campaign in mid-June.
“In June 2023, a Federal Civilian Executive Branch agency identified suspicious activity in their Microsoft 365 cloud environment. The agency reported the activity to Microsoft and the Cybersecurity and Infrastructure Security Agency and Microsoft determined that advanced persistent threat (APT) actors accessed and exfiltrated unclassified Exchange Online Outlook data."
In a security brief, Microsoft said that it is “publishing details of activity by a China-based actor” tracked as Storm-0558. The hacking group primarily targets government agencies in Western Europe and focuses on espionage, data theft, and credential access. Microsoft did not say if the cyber actors were backed by the Chinese government.
The hackers used forged authentication tokens to access user email using an acquired Microsoft account (MSA) consumer signing key, Microsoft said. Microsoft said it has completed mitigation of this attack for all customers.
“We assess this adversary is focused on espionage, such as gaining access to email systems for intelligence collection. This type of espionage-motivated adversary seeks to abuse credentials and gain access to data residing in sensitive systems.”
Comparisons to SolarWinds Discounted
A senior U.S. government official told Reuters and other outlets that this hack could not be compared to the massive SolarWinds event in 2020 that Russian-linked operatives carried out on nine federal agencies and hundreds of businesses and organizations.
"This intrusion should not be compared to SolarWinds," the official said, calling the recently discovered campaign "much narrower."
Sen. Mark Warner, (D-VA), who heads the Senate Intelligence Committee, said he and other committee members were "closely monitoring what appears to be a significant cybersecurity breach by Chinese intelligence," NBC News reported.
"It’s clear that the PRC is steadily improving its cyber collection capabilities directed against the U.S. and our allies," Warner said. "Close coordination between the U.S. government and the private sector will be critical to countering this threat."
NBC News reported that Chinese Foreign Ministry spokesperson Wang Wenbin said U.S. officials should provide more details of the cyber break-in.
“The U.S. side should give an account of its cyberattacks as soon as possible, rather than spreading false information to divert attention,” he said at a regular news briefing in Beijing, according to the state-owned China News Service.