Hacker Stole Signing Key, Hit US Government’s Microsoft 365

Suspected Chinese hackers gained surreptitious access to senior U.S. officials’ emails by exploiting what researchers have labeled as a zero-day flaw in Microsoft’s cloud environment. The flaw is now fixed, and authorities are sharing how to spot any compromise.

See Also: Fog of War | How the Ukraine Conflict Transformed the Cyber Threat Landscape

Details of the attack first became public Tuesday, when Microsoft issued an alert, warning that beginning on May 15, a hacking group had gained access to email accounts tied to 25 different organizations, including government agencies. Attackers also targeted the personal email accounts of individuals tied to those organizations, Microsoft said (see: China-Based Hacker Hijacked EU, US Government Emails).

In a Friday update, Microsoft said there was nothing customers could have done to prevent the attack from succeeding. Rather, the problem traced to “a validation error in Microsoft code,” and an attacker had been able to obtain and use an inactive Microsoft account – aka MSA – consumer signing key to successfully forge Azure Active Directory tokens.

“The method by which the actor acquired the key is a matter of ongoing investigation,” Microsoft reported. “Though the key was intended only for MSA accounts, a validation issue allowed this key to be trusted for signing Azure AD tokens. This issue has been corrected.”

Azure AD access tokens are used to authenticate clients when they attempt to call a web API.

Experts say this attack was very sophisticated because it relied on a long list of undocumented features and functionality. “It was an extremely advanced attack requiring a huge amount of nonpublic knowledge of Microsoft internals,” said cybersecurity expert Kevin Beaumont in a Mastodon post.

While Microsoft has yet to describe the incident as a zero-day attack or breach of its systems, “forging a token is a vulnerability, so it’s a zero-day,” Beaumont added.

State and Commerce Departments Hit

The U.S. government said a federal civilian executive branch agency had detected the attack after observing unusual activity in its audit logs, and the agency alerted Microsoft and the Cybersecurity and Infrastructure Security Agency to the attack. Victims of the attack included the U.S. departments of State and Commerce. Officials say no classified systems were breached.

“Last month, the State Department detected anomalous activity,” State Department spokesman Matthew Miller told reporters Wednesday.

“We did two things immediately. One: We took immediate steps to secure our systems. And two: We took immediate steps to notify Microsoft of the event,” Miller said. “As a matter of cybersecurity policy, we do not discuss the details of our response. The incident remains under investigation, and we continuously monitor our networks and update our security procedures.”

The Commerce Department said it first learned from Microsoft that its Microsoft 365 systems had been targeted and said the department will continue to closely monitor its cloud service environments for signs of illicit activity.

Microsoft’s threat intelligence team said the attack had been perpetrated by a group it named Storm-0558, which Microsoft has “moderate confidence” is tied to China. While the advanced persistent threat group has “minimal overlaps” with Beijing-aligned groups such as APT31 – or what Microsoft calls Violet Typhoon and previously referred to as Zirconium – Microsoft believes “Storm-0558 operates as its own distinct group,” it said.

Until it can identify who’s behind the group, Microsoft uses the term “Storm” to refer to “newly discovered, unknown, emerging or developing cluster of threat activity.” Storm is analogous to FireEye’s use of UNC, for “uncategorized group or cluster.”

Two unnamed U.S. officials told CNN they believe the attack was an attempt by the Chinese government to gather intelligence prior to Secretary of State Antony Blinken’s visit to Beijing last month.

CISA Says, ‘Log and Monitor’

CISA and the FBI have issued a joint alert to critical infrastructure organizations – or any organization with a cloud environment – advising them to “enhance their cyber posture and position themselves to detect similar malicious activity” through robust logging and monitoring.

The joint alert recommends that organizations using Microsoft 365 enable audit logging, unified audit logging to search logs for activities performed in different Microsoft 365 services, and a premium feature called the Purview compliance portal. It also recommends ensuring that all of these logs can be searched by all required security personnel – including in the security operations center, building a baseline of typical activity and watching for abnormal patterns.

By default, Microsoft Purview retains logs for 90 days. CISA and the FBI said Microsoft logs must to be retained for longer, at least for federal agencies. Office of Management and Budget memorandum M-21-31 requires federal civilian agencies to retain cloud service audit logs for at least 12 months in active storage and 18 months more in cold storage.

“This can be accomplished either by offloading the logs out of the cloud environment or natively through Microsoft by creating an audit log retention policy,” CISA and the FBI said.

While Microsoft didn’t prevent the attack, officials said logging and monitoring of Microsoft 365 environments was key to quickly spotting the hacks and enabling the technology giant to find and eliminate the underlying vulnerability. “CISA and FBI are not aware of other audit logs or events that would have detected this activity,” they said, adding that robust logging is essential for organizations “to enhance their cybersecurity posture and position themselves to detect similar malicious activity.”