Here’s How Microsoft’s Mistakes Led to the Largest Breach of Unclassified US Government Data Since 2020

In a major cybersecurity breach, Chinese hackers successfully targeted the U.S. government by exploiting a flaw in Microsoft’s cloud email service, resulting in unauthorized access to approximately 25 email accounts belonging to government agencies and related individuals.

The breach, attributed to the hacking group Storm-0558, marked the largest breach of unclassified U.S. government data since the SolarWinds espionage campaign in 2020.

The Microsoft-Induced Breach

Microsoft’s investigation revealed that the China-based hacking group, Storm-0558, exploited the Office Outlook Web Access in Exchange Online (OWA) and Outlook.com services. The hackers were able to forge authentication tokens using an acquired Microsoft consumer signing key, granting them unauthorized access to enterprise email accounts.

Microsoft has yet to explain how the hackers were able to attain this key.

This malicious activity went undetected for about a month until customers alerted Microsoft of unusual mail activity.

We’re sharing more details from our investigation of the Storm-0558 campaign that targeted customer email, including our analysis of the threat actor’s techniques, tools, and infrastructure, and the steps we took to harden systems involved: https://t.co/XsgJNPMKKo

— Microsoft Threat Intelligence (@MsftSecIntel) July 14, 2023

The company has not publicly disclosed the specific government agencies targeted, but it includes the State Department, among others. Storm-0558 is believed to be a well-resourced adversary, focused on espionage, intelligence collection, and gaining access to sensitive systems.

In a blog, Microsoft acknowledged that the breach was successfully mitigated, and the hackers no longer have access to the compromised accounts. However, the company has not confirmed whether any sensitive data was exfiltrated during the month-long period that the attackers had access to the email accounts.

Microsoft’s Mistakes that Led to the Breach

As the details of the attack emerge, it becomes evident that Microsoft made several crucial mistakes that contributed to the breach and compromised the security of its cloud services. These include:

Vulnerability Oversight

One of the primary mistakes that Microsoft made was the oversight in identifying and addressing vulnerabilities in its cloud email service. The attackers exploited three vulnerabilities that should have been detected and patched during the development and testing stages.

This lack of proper oversight allowed the hacking group to take advantage of weaknesses in Microsoft’s security infrastructure.

Insufficient Key Protection

The hackers’ success in the breach was partially due to Microsoft’s mishandling of cryptographic keys. The attackers acquired an inactive Microsoft consumer signing key that was intended for securing consumer email accounts.

However, a validation error in Microsoft code enabled the hackers to forge authentication tokens not only for Azure Active Directory but also for consumer accounts. This critical mistake provided the attackers with unauthorized access to enterprise and government email accounts, compromising sensitive data.

Lack of Detection Mechanisms

Another significant mistake by the tech giant was the failure to promptly detect malicious activity by Storm-0558. The hackers’ espionage campaign went undetected for about a month until customers reported anomalous mail activity.

This indicates that Microsoft’s detection mechanisms were not adequately tuned to identify sophisticated and stealthy intrusions, leaving room for threat actors to operate undetected.

Ambiguous Communication

Microsoft’s response and communication during the incident were criticized for being ambiguous. The company avoided using clear terms like “zero-day” and used vague language to describe the attack.

A zero-day is a software vulnerability for which no patch has been released. This means that attackers can exploit the vulnerability without any fear of being detected by security software.

Transparent and straightforward communication is crucial during cybersecurity incidents to foster trust among users and enable them to understand the nature and severity of the threat they face.

Limited Access to Crucial Logs

The implementation of a “pay-to-play” monitoring policy further compounded the mistakes made by Microsoft. The U.S. Cybersecurity and Information Security Agency (CISA) discovered the intrusion through audit logs that track logins and critical events affecting customers’ Microsoft cloud accounts.

The company restricted access to critical security logs, making them available only to customers who could afford the higher-tier E5 enterprise license.

This left organizations with lower-tier licenses at a disadvantage, as they were unable to access crucial information to detect and respond to potential breaches promptly.

Delayed Patching

Although Microsoft eventually patched the vulnerabilities that the attackers exploited, the fact that the breach remained undetected for a month raises questions about the timeliness of their response.

Swift patching of critical vulnerabilities is vital to minimize the window of opportunity for threat actors and prevent further exploitation.

Lack of Specific Attribution

Microsoft’s reluctance to explicitly attribute the attack to China, despite Storm-0558’s strong nexus to the country, raised eyebrows in the cybersecurity community. Ambiguity in attribution can hinder coordinated response efforts and international cooperation to proactively address state-sponsored cyber threats.

Mitigation and Hardening Measures by Microsoft

In response to the breach caused by Storm-0558, Microsoft took swift action to mitigate the token forgery technique and the validation error in Outlook Web Access (OWA) and Outlook.com.

These measures were implemented to protect customers’ data and prevent further unauthorized access. No customer action is required, as Microsoft claims that it has taken the following steps on their behalf.

Token Renewal Mitigation: On June 26, Microsoft implemented a measure in OWA to stop accepting tokens issued from the GetAccessTokensForResource API for renewal. This action helped mitigate the abuse of token renewal by the threat actors.

Blocking Tokens with Acquired MSA Key: On June 27, Microsoft swiftly blocked the usage of tokens signed with the acquired Microsoft Account (MSA) key in OWA. By doing so, they prevented further unauthorized access and malicious activity by the threat actors within enterprise mail systems.

Key Replacement: To further strengthen security, on June 29, Microsoft completed the replacement of the MSA key. The old MSA signing keys, including the one acquired by the threat actors, were revoked. The new MSA signing keys are issued in substantially updated systems with increased isolation from government accounts, corporate environments, applications, and users. Additionally, the key store used for enterprise systems now stores the MSA signing keys.

Blocking Key Usage for Consumer Customers: To ensure comprehensive protection, on July 3, Microsoft took the precaution of blocking the usage of the MSA key for all impacted consumer customers. This measure prevented the use of any previously-issued tokens that might have been acquired by the threat actors.

Ongoing Monitoring and Protections: Microsoft maintains a vigilant stance against Storm-0558’s activities and continues to monitor their actions closely. The company is committed to implementing further protective measures for its customers to prevent future incidents.

Microsoft assures its customers that they don’t need to take any specific actions to prevent threat actors from exploiting the techniques used in this breach. The mitigation and hardening measures have been put in place proactively by Microsoft on their behalf, safeguarding their Exchange Online and Outlook.com services.

The Aftermath and Ongoing Concerns

Although Microsoft has taken measures to prevent similar attacks in the future, the incident has raised broader concerns about the security of cloud services. The breach’s scale and potential access to sensitive government data underscore the importance of robust security measures and constant vigilance.

Furthermore, the U.S. government has not officially attributed the attack to China, despite the hackers’ ties to the country. This reluctance may be due to geopolitical considerations and the complexities involved in attribution. The attack shows the tremendous abilities and innovative thinking of China-linked hacking groups, suggesting more attacks of this sort are likely.

In response to the breach, the U.S. cybersecurity agency CISA and the FBI have urged organizations to report any anomalous activity in Microsoft 365, emphasizing the importance of collaboration and information sharing to enhance overall cybersecurity.

The incident serves as a stark reminder that cybersecurity threats are continually evolving, and organizations, both public and private, must remain vigilant and invest in comprehensive security measures to protect their data and systems.

As the cybersecurity landscape evolves, continuous vigilance and collaboration among organizations and security agencies remain crucial in defending against sophisticated threat actors.

Related Articles

• How to Buy Microsoft Stock in July 2023
  
• 88% of Data Breaches Are Due to Human Error – Here Are 8 Tips to Teach Employees Cybersecurity Before Your Business is Hacked
  
• Think AI Has Already Changed the World? This is a Tiny Fraction of the Potential of LLMs: Next They’re Set to Revolutionize Biology