Storm-0558, a threat actor based in China, has recently gained access to a Microsoft account consumer key. This has allowed them to infiltrate and compromise 25 organizations, including those within government agencies.
Since May 15, 2023, they have been using fake tokens to access emails for espionage.
On July 11, 2023, Microsoft implemented a block on the campaign of Storm-0558 while ensuring that other environments were not affected.
U.S. Commerce Secretary Gina Raimondo and other high-profile individuals may have had their private emails accessed by hackers.
Investigation from Microsoft
After categorizing the threat actor group, Microsoft initiated an inquiry into the methods employed by the threat actors to obtain the Microsoft account consumer signing key and how it was utilized to gain entry into enterprise email systems.
In their investigation, the company determined a consumer signing system crash in April of 2021, which led to the creation of a snapshot of the crashed process.
At the time of occurrence, it was not within Microsoft’s knowledge that the crash dump contained the aforementioned key material.
Then, the crash dump was found to be moved to the debugging environment on the internet-connected corporate network, believing the key was not included.
Microsoft believes the key was leaked from the crash dump in the corporate environment by successfully compromising a Microsoft engineer’s corporate account.
“Due to log retention policies, we don’t have logs with specific evidence of this exfiltration by this actor, but this was the most probable mechanism by which the actor acquired the key.”
Microsoft has reported that the problems mentioned above have been resolved, and an improved credential scanning technology has been implemented to identify the signing key’s existence more accurately.
The Chinese Embassy, situated in Washington, D.C., did not respond to an email sent. The government of China has dismissed the accusation of stealing emails belonging to high-ranking officials in the United States as “unfounded.”
Organizations must take proactive measures to ensure the security of their accounts and data, especially in light of such threats.