Microsoft breach led to theft of 60,000 US State Dept emails

Sergiu Gatlan

September 28, 2023
04:45 PM
4

Hacker

Chinese hackers stole tens of thousands of emails from U.S. State Department accounts after breaching Microsoft's cloud-based Exchange email platform in May.

During a recent Senate staff briefing, U.S. State Department officials disclosed that the attackers stole at least 60,000 emails from Outlook accounts belonging to State Department officials stationed in East Asia, the Pacific, and Europe, as Reuters first reported.

Additionally, the hackers managed to obtain a list containing all of the department's email accounts.

The compromised State Department personnel primarily focused on Indo-Pacific diplomacy efforts.

"We need to harden our defenses against these types of cyberattacks and intrusions in the future, and we need to take a hard look at the federal government's reliance on a single vendor as a potential weak point," Senator Eric Schmitt said in a statement.

The reports were also confirmed by State Department spokesperson Matthew Miller in a press briefing on Thursday.

"Yes, it was approximately 60,000 unclassified emails that were exfiltrated as a part of that breach. No, classified systems were not hacked. These only related to the unclassified system Miller Miller told reporters.

"We have not made an attribution at this point, but, as I said before, we have no reason to doubt the attribution that Microsoft has made publicly. Again this was a hack of Microsoft systems that the State Department uncovered and notified Microsoft about."

Email breaches linked to Storm-0558 Chinese cyberspies

In July, Microsoft revealed that beginning on May 15, 2023, threat actors successfully breached Outlook accounts associated with approximately 25 organizations.

The compromised organizations include the U.S. State and Commerce Departments and certain consumer accounts presumably linked to them.
Microsoft did not disclose specific details regarding the affected organizations, government agencies, or countries impacted by this email breach.

The company attributed the attacks to a cyber-espionage collective known as Storm-0558, suspected of being focused on obtaining sensitive information by infiltrating the email systems of their targets.

Earlier this month, Microsoft disclosed that the threat group first obtained a consumer signing key from a Windows crash dump, a breach facilitated after compromising the corporate account of a Microsoft engineer, which enabled access to the government email accounts.

The stolen Microsoft Account (MSA) key was employed to compromise Exchange Online and Azure Active Directory (AD) accounts by exploiting a previously patched zero-day validation vulnerability in the GetAccessTokenForResourceAPI. The flaw allowed the attackers to generate counterfeit signed access tokens, which allowed them to impersonate accounts within the targeted organizations.
In response to the security breach, Microsoft revoked the stolen signing key and, following investigations, found no additional instances of unauthorized access to customer accounts through the same method of access token forgery.
Under pressure from the Cybersecurity and Infrastructure Security Agency (CISA), Microsoft has also agreed to broaden access to cloud logging data at no cost, which would help network defenders identify potential breach attempts of a similar nature in the future.

Previously, such logging capabilities were exclusively accessible to customers with Purview Audit (Premium) logging licenses. Because of this, Microsoft faced criticism for impeding organizations from promptly detecting Storm-0558's attacks.

___________________________________________________________________________

US Secretary of State Antony Blinken previously told his Chinese counterpart that Washington would “take appropriate action” in response to any state-sponsored hacks, though he did not specify what that would entail. However, Beijing rejected the allegations as another case of “disinformation,” having dismissed similar hacking claims in the past.

Tens of thousands of messages were stolen from the US State Department in a major cyber attack earlier this summer, a Senate staffer told Politico. The hack was said to have targeted the US commerce chief and Washington’s top diplomat in China, Ambassador Nicholas Burns.

State Department officials offered new details on the breach during a closed-door briefing on Wednesday, saying that most of the ten government email accounts affected were owned by people working on “Indo-Pacific diplomatic efforts,” Politico reported, citing an unnamed staffer for Republican Senator Eric Schmitt.

“Among the most sensitive information stolen, the staffer said, were victims’ travel itineraries and diplomatic deliberations,” the outlet added, noting that ten Social Security numbers were potentially accessed during the hack.

The cyber attack was first reported in July by Microsoft, which pinned the blame on a “China-based threat actor” allegedly supported by the government in Beijing. In a blog post published at the time, the company also said the hackers had “espionage objectives,” but stated its conclusions were held with only “moderate confidence.”

Hunter Biden sues Rudy Giuliani for ‘hacking’ his laptop

A total of 25 entities were said to have been targeted in the June hack, among them the State Department and other government agencies. Hundreds of thousands of documents may have been involved in the breach, including around 60,000 from the State Department alone, the staffer said.
The highest-level officials reportedly targeted in the hack include US Ambassador to China Nicholas Burns and Commerce Secretary Gina Raimondo. Though the State Department has yet to formally implicate China in the breach, Raimondo herself has alleged Chinese responsibility in public comments.
“They did hack me, which was unappreciated to say the least,” she told NBC News earlier this month, adding that she raised the issue with her counterparts in Beijing during her last visit.
The commerce chief went on to argue that Washington is in “fierce competition with China at every level,” but insisted that “conflict is in no one’s interest,” echoing similar comments from other officials regarding US policy on China. President Joe Biden has repeatedly labeled Beijing as America’s top “competitor” and continues to bolster the US military presence in the Asia-Pacific in an effort to confront the People’s Republic.

___________________________________________________________________________