Microsoft still does not know how hackers supported by China got a key that gave them access to covertly get into dozens of email inboxes, including those belonging to various federal government organizations, and the company does not wish to share this information with anybody. Microsoft announced the event on the previous Tuesday and attributed the behavior that took place during the previous month to a newly found espionage organization that it called Storm-0558. The company thinks that this group has a significant connection to China. The United States Cybersecurity and Infrastructure Security Agency (CISA) said that the breaches started in the middle of May and involved a limited number of government accounts, which were claimed to be in the single digits. Additionally, the agency stated that the hackers stole some unclassified email data. On Wednesday, the senior spokeswoman for China’s Ministry of Foreign Affairs refuted the charges, despite the fact that the United States government has not formally claimed responsibility for the hacking.
This hacking group instead went straight to the source by targeting new and unreported vulnerabilities in Microsoft’s cloud, in contrast to what China has done, which was to individually break into Microsoft-powered email servers in order to take business data. China employed flaws that were not previously known in order to do this.
Microsoft said in a blog post that the hackers were able to get one of the business’s consumer signing keys, also known as an MSA key. These keys are used by the company to protect customer email accounts, such as those used to access Outlook.com. Microsoft has said that it first believed the hackers were forging authentication tokens using an obtained business signing key. These authentication tokens are used to safeguard corporate and enterprise email accounts. However, Microsoft discovered that the hackers were utilizing the consumer MSA key to manufacture tokens that enabled them to get into business inboxes. These tokens were forged using the consumer MSA key.
Microsoft has said that it has stopped “all actor activity” relating to this event, which may indicate that the attack is concluded and that the hackers have lost access to the system. Even though it is unknown how Microsoft lost control of its own keys, the corporation has said that it has tightened its key issuance processes, most likely to prevent hackers from producing another digital skeleton key. This is despite the fact that it is unclear how Microsoft lost control of its own keys.
The hackers did one very important thing wrong. Microsoft said that investigators were able “to see all actor access requests which followed this pattern across both our enterprise and consumer systems” since the hackers had used the same key to access many inboxes throughout their investigation.
Despite the fact that Microsoft’s extended disclosure provided a glimpse of more technical data and signs of penetration that incident responders may review to see whether their networks were targeted, the technology giant still has questions to answer.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.