Chinese hackers forged authentication tokens to breach government emails

Sophisticated hackers have accessed email accounts of organizations and government agencies via authentication tokens they forged by using an acquired Microsoft account (MSA) consumer signing key, the company has revealed on Tuesday.

“The threat actor Microsoft links to this incident is an adversary based in China that Microsoft calls Storm-0558. We assess this adversary is focused on espionage, such as gaining access to email systems for intelligence collection.”

This specific hacking group primarily targets government agencies in Western Europe, the company added. But according to The Washington Post, these latest attacks also compromised a number of unclassified U.S. email accounts.

The hackers exploited a token validation issue

Microsoft began investigating anomalous mail activity on June 16, 2023, after being alerted by customers.

They ultimately established that the account compromises started the day before, and that the attackers managed to access email accounts of employees at 25 organizations and some consumer accounts of individuals associated with those organizations.

The attackers gained access via Outlook Web Access in Exchange Online (OWA) and Outlook.com.

“MSA (consumer) keys and Azure AD (enterprise) keys are issued and managed from separate systems and should only be valid for their respective systems. The actor exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail,” Microsoft explained.

“We have no indications that Azure AD keys or any other MSA keys were used by this actor. OWA and Outlook.com are the only services where we have observed the actor using tokens forged with the acquired MSA key.”

Microsoft says customers don’t have to do anything to protect themselves against this attack – the company has implemented mitigations (blocked the usage of maliciously signed tokens issued with the key and replaced it). There is no mention of them fixing the exploited token validation issue, though.

All targeted or compromised organizations have been contacted by Microsoft directly via their tenant admins and and have been provided with information to help them investigate and respond. “If you have not been contacted, our investigations indicate that you have not been impacted,” the company added, and promised to share “new details and recommendations as appropriate.”

Microsoft has also shared on Tuesday that attackers have been exploiting its Microsoft Windows Hardware Developer Program (MWHDP) to sign malicious drivers, and has released fixes for various zero-days actively exploited in the wild.

UPDATE (June 1, 2023, 04:40 a.m. ET):

As it turns out, the attacks were spotted by a US Federal Civilian Executive Branch agency, when they detected suspicious log events.

“In Mid-June 2023, an FCEB agency observed MailItemsAccessed events with an unexpected ClientAppID and AppID in M365 Audit Logs. The MailItemsAccessed event is generated when licensed users access items in Exchange Online mailboxes using any connectivity protocol from any client. The FCEB agency deemed this activity suspicious because the observed AppId did not normally access mailbox items in their environment. The agency reported the activity to Microsoft and CISA,” the CISA and the FBI said in a cybersecurity advisory released on Wednesday.

“The affected FCEB agency identified suspicious activity by leveraging enhanced logging—specifically of MailItemsAccessed events — and an established baseline of normal Outlook activity (e.g., expected AppID). The MailItemsAccessed event enables detection of otherwise difficult to detect adversarial activity.”

They advised agencies and critical infrastructure organizations to enhance monitoring in Microsoft Exchange Online environments by implementing the logging recommendations outlined in the advisory.

UPDATE (July 14, 2023, 15:10 a.m. ET):

Microsoft has shared more in-depth details about the attack, but the company still hasn’t discovered how the threat actor acquired the MSA consumer signing key.

“Though the key was intended only for MSA accounts, a validation issue allowed this key to be trusted for signing Azure AD tokens. This issue has been corrected,” Microsoft says.