UPDATE - Several U.S. government agencies are tied up in a cyberattack by a China-based threat group that accessed unclassified email data of more than two dozen organizations globally. The attackers used forged authentication tokens to access victims’ emails for a month with an acquired Microsoft account consumer signing key.
According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the campaign was first discovered in June after a federal agency identified suspicious activity in their Microsoft 365 cloud environment via the audit logs and reported it to Microsoft and CISA. Within the MailItemsAccessed event, which is generated when licensed users access items in Exchange Online mailboxes using connectivity protocols from clients, the agency observed AppID, which did not normally access mailbox items in their environment.
“Microsoft determined that APT actors accessed and exfiltrated unclassified Exchange Online Outlook data from a small number of accounts,” according to CISA on Wednesday. “The APT actors used a Microsoft account (MSA) consumer key to forge tokens to impersonate consumer and enterprise users. Microsoft remediated the issue by first blocking tokens issued with the acquired key and then replacing the key to prevent continued misuse.”
While Microsoft began its investigation into the attacks June 16, threat actors had compromised email accounts starting on May 15. Microsoft tied the attacks to Storm-0558 (with “Storm” being part of the company’s new designation for a new or emerging threat group), an adversary based in China. Storm-0558 mostly targets government agencies in Western Europe and is focused on espionage, data theft and credential access, said Microsoft.
“We assess this adversary is focused on espionage, such as gaining access to email systems for intelligence collection,” according to Microsoft. “This type of espionage-motivated adversary seeks to abuse credentials and gain access to data residing in sensitive systems.”
“Microsoft remediated the issue by first blocking tokens issued with the acquired key and then replacing the key to prevent continued misuse.”
Microsoft said in addition to the compromised email accounts of the 25 unnamed organizations, the threat group also accessed a “small number” of related consumer accounts of individuals that are likely associated with these organizations.
Microsoft said that the threat actor exploited a token validation issue in order to impersonate Microsoft Entra ID users. The attackers used an acquired, inactive Microsoft consumer account key to forge tokens to access OWA and Outlook.com, ultimately giving them access to enterprise mail accounts.
In a Friday analysis of the attack, Microsoft said that it is currently investigating how the threat actor was able to initially get the key.
Authentication tokens, which are used to make sure that entities requesting access to email are valid, are issued by identity providers like Microsoft Entra ID through a public validation key. If a threat actor can acquire a private signing key, they can then forge false tokens with valid signatures.
As another layer to this attack, the key was only intended for consumer accounts. Microsoft account keys for consumers and Microsoft Entra ID keys for enterprises are issued from separate systems and should only be valid for their respective systems, according to the company. However, a validation error in Microsoft’s code allowed the key to be trusted for signing Microsoft Entra ID tokens, according to Microsoft. This issue has since been corrected.
"Once authenticated through a legitimate client flow leveraging the forged token, the threat actor accessed the OWA API to retrieve a token for Exchange Online from the GetAccessTokenForResource API used by OWA," according to Microsoft on Friday. "The actor was able to obtain new access tokens by presenting one previously issued from this API due to a design flaw. This flaw in the GetAccessTokenForResourceAPI has since been fixed to only accept tokens issued from Microsoft Entra ID or MSA respectively. The actor used these tokens to retrieve mail messages from the OWA API."
Microsoft said it has since mitigated the attack for all customers and has found no evidence of further access. Organization security teams should know that the company has contacted businesses that have been impacted directly via their tenant admins; no further customer action is required at this time.
CISA and the FBI additionally urge CISOs to ensure audit logging is enabled, particularly as the attack was first detected via abnormal behavior detected on the audit logs. Currently, federal agencies must comply with policies requiring Microsoft audit logs to be retained for at least 12 months in active storage. Microsoft’s standard auditing feature is enabled by default for most Microsoft 365 organizations. CISA also encourages organizations to make sure logs are accessible to operational teams in order to make it easier to hunt for related malicious activity or weed out abnormalities.
"Chinese cyber espionage has come a long way from the smash-and-grab tactics many of us are familiar with.”
Microsoft has also added automated detections for known IoCs associated with the attack. Still, it’s one of many security hits for the company this week, which also warned on Tuesday of an unpatched, zero-day flaw being actively exploited in Office. Also on Tuesday, Cisco Talos researchers detailed an undocumented malicious driver that used an open-source signature timestamp forging tool in order to abuse a known loophole in Microsoft’s Windows driver signature enforcement practices.
Chinese threat actor activity overall has concerned both the U.S. government and private sector organizations, with researchers with Mandiant in a testimony last year before the U.S.-China Economic and Security Review Commission saying they believe Chinese cyber espionage activity has shown a “higher tolerance for risk and is less constrained by norms or diplomatic pressures.”
John Hultquist, Mandiant chief analyst with Google Cloud, said that China is a “more sophisticated adversary than ever” and related threat groups are innovating and using methods in their attacks that both challenge detection and mitigation, including the rapid deployment of zero-days, the targeting of security devices, and the use of more complex infrastructure (by relying on networks of compromised systems, versus a simply proxy, for instance).
"Chinese cyber espionage has come a long way from the smash-and-grab tactics many of us are familiar with,” said Hultquist. “They have transformed their capability from one that was dominated by broad, loud campaigns that were far easier to detect. They were brash before, but now they are clearly focused on stealth.”
This article was updated on July 14 with further updates from Microsoft on how the threat actors conducted the attack.