While Chinese hackers reportedly didn’t make off with any classified information when they broke into the cloud emails of some federal agencies, the cyber burglars may have lifted more valuable information.
In fact, email hackers hit more than two dozen organizations, including the email account of Commerce Department Secretary Gina Raimondo, as previously reported by MSSP Alert.
Wiz Report Probes Hacks
The incident could have had a wider and potentially far-reaching impact than initially thought, according to a report by security researcher Wiz. The same hackers reportedly breached the email accounts by using a Microsoft account-signing key to forge authentication tokens.
The key ultimately may have also enabled the hackers to gain entry into Microsoft’s Teams, OneDrive and Sharepoint, Wiz said. At this point, it’s not clear how the hackers obtained the key.
Wiz researchers believe that Microsoft may want to take a closer look at the potential impact of the hack. As Shir Tamari, head of research at Wiz, stated in a blog post:
“We believe this event will have long-lasting implications on our trust of the cloud and the core components that support it, above all, the identity layer which is the basic fabric of everything we do in cloud.”
Tamari said the compromised key would have given the hacking group, which Microsoft tracks as Storm-0558, access to far more than Outlook. He explained how it has extended to many other Microsoft services that use the same authentication process:
“Our researchers concluded that the compromised MSA key could have allowed the threat actor to forge access tokens for multiple types of Azure Active Directory applications, including every application that supports personal account authentication, such as SharePoint, Teams, OneDrive, customers’ applications that support the 'login with Microsoft' functionality, and multi-tenant applications in certain conditions.”
Wiz’s Tamari wrote that the full impact of the incident can’t yet be determined:
“At this stage, it is hard to determine the full extent of the incident as there were millions of applications that were potentially vulnerable, both Microsoft apps and customer apps, and the majority of them lack the sufficient logs to determine if they were compromised or not. The first and foremost is to update their Azure SDK to the latest version and ensure their application cache is updated, otherwise their apps may still be vulnerable to a threat actor using the compromised key.”
China-tied Hackers Breach Ambassador's Email
In a statement, Microsoft said that while the Wiz blog highlights hypothetical attacks, it had not been observed in the wild.
Meanwhile, China-tied hackers have breached the email account of U.S. Ambassador to China Nicholas Burns and also accessed the email account of Daniel Kritenbrink, assistant Secretary of State for East Asia, who recently traveled with Secretary of State Antony Blinken to China, said NBC. The breach was limited to the diplomats’ unclassified email accounts, NBC reported.
Two weeks ago, word about the hacking operation surfaced from Microsoft and federal officials, who separately described a clandestine cyber espionage attack that took place during May and June 2023.
To this point, the number of affected agencies, while not made public, is said to be “in the single digits.” No estimate of the number of affected individuals has been offered by the government.
