Chinese Hackers Exploit Microsoft Bug to Raid US Government Emails

A flaw in its cloud email service has allowed Chinese hackers to gain access to the Microsoft email accounts of employees.

Microsoft has confirmed that a flaw in its cloud email service has allowed Chinese hackers to gain access to the email accounts of US government employees.

The hacking group is known as Storm-0558, following the convention of using “Storm” as a nickname to track hacking groups that are emerging or in development. 

While Microsoft hasn’t identified the specific government agencies that have been targeted, it is known that 25 email accounts were affected. These include those within government agencies, as well as consumer accounts that are linked to people associated with the organizations.

Microsoft Security Breaches

The Storm-0558 attack is the latest in a line of recent security breaches within Microsoft.

Earlier this month, Microsoft had to deny large scale DDoS attacks in which hackers claimed they’d stolen 30 million customer records. Following this, a member of the US Navy’s information security research team exposed a flaw within the company's incoming file restraints, which allowed attackers to share malware.

How Did The Attack Take Place?

In its investigation and technical analysis of the attack, Microsoft explained that Storm-0558 forged authentication tokens to gain access to email accounts using Outlook Web Access in Exchange Online and outlook.com. From there, they exploited a token validation issue to impersonate Azure AD users and get access to enterprise email accounts.

“Last month, US government safeguards identified an intrusion in Microsoft’s cloud security, which affected unclassified systems. Officials immediately contacted Microsoft to find the source and vulnerability in their cloud service. We continue to hold the procurement providers of the US Government to a high security threshold.” – Adam Hodge, spokesperson for the White House’s National Security Council

Microsoft has called Storm-0558 a “well-resourced” adversary.

It's Not Yet Known If Any Sensitive Data Was Exfiltrated

It’s reported that the malicious activity had gone undetected for around a month, until flagged by customers to Microsoft, citing unexpected mail activity as the basis for their concerns.

Protect Your Private Data

Incogni by Surfshark can help you protect your identity and remove your data from the web

“We assess this adversary is focused on espionage, such as gaining access to email systems for intelligence collection. This type of espionage-motivated adversary seeks to abuse credentials and gain access to data residing in sensitive systems” – Charlie Bell, Microsoft’s top cybersecurity executive.

The attack has since been successfully mitigated and Storm-0558 no longer has access to the email accounts. However, Microsoft has not yet confirmed whether any sensitive data was exfiltrated.

Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at contact@tech.co

Written by:
Ellis Di Cataldo (MA) has over 9 years experience writing about, and for, some of the world’s biggest tech companies. She's been the lead writer across digital campaigns, always-on content and worldwide product launches, for global brands including Sony, Electrolux, Byrd, The Open University and Barclaycard. Her particular areas of interest are business trends, startup stories and product news.
Explore More See all news
Back to top
close Thinking about your online privacy? NordVPN is Tech.co's top-rated VPN service See Deals