Microsoft Explains How Chinese Hackers Breached US Government Email Accounts

Security hero image

Key takeaways:

  • In July, Microsoft disclosed that Chinese hackers breached US government email accounts within around 25 organizations.
  • The Storm-0558 hacking group exploited a software crash dump containing the expired Exchange signing key to gain unauthorized access.
  • Microsoft responded by revoking the compromised keys and launching a new framework for applications.

Microsoft recently disclosed a cyber-espionage campaign that allowed Chinese hackers to steal a signing key and breach sensitive US government email accounts. The company launched an investigation into the security incident, which led to the publication of detailed findings in a report released on Wednesday.

In July, Microsoft detailed that a Chinese hacking group (tracked as Storm-0558) had gained access to Entra ID (formerly Azure AD) and Exchange accounts. The threat actors obtained a Microsoft account consumer signing key and used it to forge tokens for the Azure AD cloud service. This approach allowed the hackers to access emails from around 25 organizations, including government agencies.

In a recent blog post, Microsoft admitted that the hackers stole the digital key from a software crash dump after a consumer signing system crashed in April 2021. The threat actors compromised a Microsoft engineer’s corporate account and accessed the crash dump as well as the expired Exchange signing key.

“Our investigation found that a consumer signing system crash in April of 2021 resulted in a snapshot of the crashed process (“crash dump”). The crash dumps, which redact sensitive information, should not include the signing key. In this case, a race condition allowed the key to be present in the crash dump (this issue has been corrected). The key material’s presence in the crash dump was not detected by our systems,” the Microsoft Security Response team explained.

Microsoft bolsters security to prevent hackers from compromising corporate email accounts

In 2018, Microsoft launched a new framework that used to work with both consumer and enterprise applications. The company also provided a converged API endpoint that applications could use to authenticate users. However, a human error prevented the programming interface from working correctly. Microsoft believes that the hackers abused the flaw to duplicate the MSA key and use it to access corporate emails.

Microsoft revoked the MSA signing keys to prevent hackers from getting unauthorized access to other compromised keys. It should also block potential attempts to use access tokens issued with the key. Microsoft has also agreed to provide all enterprise customers with free access to cloud security logs in September this year. This approach should help security teams to block similar cyberattacks in the future.