Incident Details
| Victimized Company: | US Department of State & Department of Commerce, among others |
| Incident Dates: | 2023-05-15 to 2023-06-16 |
| Disclosure Date: | 2023-07-11 |
| Current Status: | Investigation ongoing |
Office 365 (2023)
In July of 2023, Microsoft disclosed a compromise of Exchange Online that targeted “25 organizations … including government agencies as well as related consumer accounts of individuals likely associated with these organizations.” The vector of compromise was several validation flaws in the Microsoft-hosted Exchange Online and AzureAD services.
Incident
Details of the Incident
As reported by CISA:
In June 2023, a Federal Civilian Executive Branch (FCEB) agency [subsequently identified by CNN as the US State Dept] identified suspicious activity in their Microsoft 365 (M365) cloud environment. The agency reported the activity to Microsoft and the Cybersecurity and Infrastructure Security Agency (CISA), and Microsoft determined that advanced persistent threat (APT) actors accessed and exfiltrated unclassified Exchange Online Outlook data.
In as yet undisclosed method, the threat actor obtained a Microsoft Account (MSA) consumer signing key. Leveraging that very sensitive key, the threat actor pivoted into enterprise Exchange environments due to a validation error on Microsoft’s part. Per Microsoft: “The method by which the actor acquired the key is a matter of ongoing investigation.”1
Identified victims include:
- US Department of State
- US Department of Commerce
- Commerce Secretary Gina Raimondo’s email account
- “email accounts at the House of Representatives”2
- The US Ambassador to China, Nicholas Burns
In a follow up research post, cloud security company Wiz noted:
“Our researchers concluded that the compromised MSA key could have allowed the threat actor to forge access tokens for multiple types of Azure Active Directory applications, including every application that supports personal account authentication, such as SharePoint, Teams, OneDrive, customers’ applications that support the “login with Microsoft” functionality, and multi-tenant applications in certain conditions.”
This led us to believe that although the compromised key acquired by Storm-0558 was a private key designed for Microsoft’s MSA tenant in Azure, it was also able to sign OpenID v2.0 tokens for multiple types of Azure Active Directory applications.
Timeline
| Date | Event |
|---|---|
| May 15, 2023 | Storm-0558 begins to use forged authentication tokens to access mailboxes |
| June 16, 2023 | Federal Agency notices abnormal MailItemsAccessed in M365 Audit Logs |
| June 16, 2023 | Microsoft disabled stolen keys and disables |
| July 11, 2023 | Microsoft quietly discloses the incident on their security blog |
| July 12, 2023 | CISA issues an advisory describing the incident |
| July 14, 2023 | Microsoft discloses a signing key was compromised and used in this incident |
| July 19, 2023 | Microsoft announces that the E5 Audit logs that enabled detection of this incident will now be available to all customers. |
| July 20, 2023 | WSJ Reports the US Ambassador to China was one of the victims |
| July 21, 2023 | Cloud Security firm Wiz publishes a blog post which outlines broader potential impacts due to the signing key leak. (Archived Copy) |
| July 27, 2023 | Sen. Wyden sends letter to the Attorney General and heads of CISA and the FTC asking them to investigate Microsoft’s security practices. |
| August 11, 2023 | DHS announces the Cyber Safety Review Board to Conduct Review on Cloud Security, specificaly focusing on this incident |
| August 15, 2023 | US Representative Don Bacon discloses he was notified by the FBI his personal and political email accounts were targeted by the attacker. |
Attribution / Perpetrator
Microsoft has designated this threat actor Storm-0558 “a China-based threat actor with espionage objectives” and “maintain[s] high confidence that Storm-0558 operates as its own distinct group”.
Long-term Impact
So far there have been calls for Microsoft to change it’s licensing model to give all customers the same level of audit logging that the Department of State had subscribed to. Both CISA and Sen. Ron Wyden have called out Microsoft for only providing the logging necessary to detect this incident under their highest tier license.
“Every organization using a technology service like Microsoft 365 should have access to logging and other security data out of the box to reasonably detect malicious cyber activity,” a senior CISA official said Wednesday on a press call discussing the incident.
Microsoft was forced to concede this revenue stream and will make these logs free starting in September 2023.
Senator Ron Wyden (D-OR) sent a letter to the US Attorney General, along with the heads of CISA and the FTC asking for:
- The CISA director to investingate this breach under her shared authority to direct the Cyber Safety Review Board.
- The Attorney General to determine if Microsoft violated federal law in failing to follow required cybersecurity standards for government contractors
- The FTC to investigate Microsoft’s privacy and data security practices, and to determine if Microsoft violated a consent decree relating to Passport, a predecessor product to Microsoft Account.
It is too early to determine what if any impact will occur to Microsoft from the DOJ or FTC, or what other practices CISA will find.
Summary of Coverage
- Microsoft: Microsoft mitigates China-based threat actor Storm-0558 targeting of customer email - July 11th, 2023
- CISA: Enhanced Monitoring to Detect APT Activity Targeting Outlook Online - July 12th, 2023
- Wired: How a Cloud Flaw Gave Chinese Spies a Key to Microsoft’s Kingdom - July 12th, 2023
- CNN: China-based hackers breached US government email accounts, Microsoft and White House say - July 12th, 2023
- WSJ: China Hacking Was Undetectable for Some Who Had Less Expensive Microsoft Services - July 13, 2023
- Microsoft: Analysis of Storm-0558 techniques for unauthorized email access - July 14th, 2023
- Ars Technica: Microsoft takes pains to obscure role in 0-days that caused email breach - July 14th, 2023
- CISA: CISA and Microsoft Partnership Expands Access to Logging Capabilities Broadly - July 19th, 2023
- Wiz: Compromised Microsoft Key: More Impactful Than We Thought - July 21st, 2023
Cloud Security Lessons Learned
While this incident was the direct responsibility of Microsoft, one lesson for organizations operating in the cloud is to ensure that you’re paying for the proper level of logging for your risk profile.
The Wiz blog has a number of suggestions for detecting if your envionment was impacted by the leaked MSA key.
-
Microsoft: Analysis of Storm-0558 techniques for unauthorized email access July 14th, 2023 ↩︎
-
CNN China-based hackers breached US government email accounts, Microsoft and White House say July 12th, 2023 ↩︎