A “cascade” of errors let Chinese hackers into US government inboxes

Microsoft still doesn’t known how Storm-0558 attackers managed to steal the Microsoft Services Account cryptographic key they used to forge authentication tokens needed to access email accounts belonging to US government officials.

“The stolen 2016 MSA key in combination with [a] flaw in the token validation system permitted the threat actor to gain full access to essentially any Exchange Online account,” CISA’s Cyber Safety Review Board (CSRB) noted in a recently released Review of the Summer 2023 Microsoft Exchange Online Intrusion.

“Microsoft does not know when Storm-0558 discovered that consumer signing keys (including the one it had stolen) could forge tokens that worked on both OWA consumer and enterprise Exchange Online. Microsoft speculates that the threat actor could have discovered this capability through trial and error.”

Known unknowns

In May and June 2023, Storm-0558 – a hacking group associated with the Chinese government – compromised Microsoft’s cloud environment and accessed cloud-based mailboxes of US State Department officials, Commerce Department’s officials, as well as users at other government and private sector organizations in the US, the UK, and elsewhere.

The intrusions were noticed on June 15, 2023, by the State Department’s security operation center analysts, who spotted anomalous mail access behavior. After Microsoft provided access to additional audit logs, they found that the intrusion into the various mailboxes started on May 15 and possibly even earlier (it’s impossible to say because the logs covered just the last 30 days).

The timeline of the Microsoft Exchange Online intrusion. (Source: CSRB)

In September 2023, Microsoft posited that Storm-0558 got the MSA 2016 key from a snapshot of a crash of a consumer signing system. This “crash dump” got moved to a “debugging environment on the internet connected corporate network”, from where it was exfiltrated by the attackers who managed to compromise a Microsoft engineer’s corporate account.

“Due to log retention policies, we don’t have logs with specific evidence of this exfiltration by this actor, but this was the most probable mechanism by which the actor acquired the key,” the company said at the time.

According to information shared with the CSRB, the company “soon after” found no evidence of a crash dump containing the 2016 MSA key material, but for waited until March 2024 to amend the original blog post to include that piece of information.

“Our leading hypothesis remains that operational errors resulted in key material leaving the secure token signing environment that was subsequently accessed in a debugging environment via a compromised engineering account,” the company added.

Microsoft also currently believes that a incident from late 2021, when Storm-0558 obtained access to a Microsoft engineer’s account via a compromised device, might be linked to the 2023 Exchange Online intrusion, through the company has not produced evidence to back that belief, the CSRB noted.

“A preventable intrusion”

Though they praised Microsoft for fully cooperating in the review, the CSRB excoriated Microsoft by saying that the intrusion was the result of a “cascade” of avoidable errors, including:

• The company’s failure to detect the compromise of its cryptographic keys
• The lack of adequate cloud security controls
• Their failure to detect a compromise of an employee’s laptop from a recently acquired company before allowing it to connect to the company’s corporate network

“The Board finds that this intrusion was preventable and should never have occurred. The Board also concludes that Microsoft’s security culture was inadequate and requires an overhaul,” the CSRB stated, and advised Microsoft to make its CEO and Board of Directors focus on the company’s security culture and security-focused reforms across the company and products.

“The Board recommends that Microsoft’s CEO hold senior officers accountable for delivery against this plan. In the meantime, Microsoft leadership should consider directing internal Microsoft teams to deprioritize feature developments across the company’s cloud infrastructure and product suite until substantial security improvements have been made in order to preclude competition for resources.”

The review also provides security advice for all cloud service providers, who “have become custodians of nearly unimaginable amounts of data.” The extensive recommendations are aimed at improving their cybersecurity practices, upping their minimum standard for default audit logging, implementing emerging digital identity standards, and more.