Chinese hackers gained access to the email accounts of 25 organizations, including US government agencies, using a security hole discovered in Microsoft's cloud platform.
As The Washington Post reports, Microsoft confirmed it has mitigated the attack by a China-based threat actor it refers to as Storm-0558. The affected accounts include those of "approximately 25 organizations including government agencies as well as related consumer accounts of individuals likely associated with these organizations."
The unauthorized access to the accounts was discovered by the US government, not Microsoft. National Security Council spokesman Adam Hodges said in a statement that, "Officials immediately contacted Microsoft to find the source and vulnerability in their cloud service ... We continue to hold the procurement providers of the U.S. government to a high security threshold."
The hackers used forged Microsoft account (MSA) authentication tokens to gain access to email accounts through Outlook Web Access in Exchange Online (OWA) and Outlook.com. Microsoft issues and manages MSA (consumer) and Azure AD (enterprise) keys using separate systems and they should only be valid for their respective systems. However, the hackers were able to impersonate legitimate users by exploiting a token validation issue.
Microsoft says no customer action is required and that it has already contacted all customers impacted by the cyber incident. As well as completely mitigating the attack, Charlie Bell, executive vice president of Microsoft Security said, "We added substantial automated detections for known indicators of compromise associated with this attack to harden defenses and customer environments, and we have found no evidence of further access."
Last year, the FBI, NSA, and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint alert warning the public that China continues to hack into major telecommunication companies in an effort to spy on users. This latest hack confirms government systems also continue to be targeted.