An investigation by Microsoft has finally revealed how China-based hackers circumvented the protections of a "highly isolated and restricted production environment" in May 2023 to unlock sensitive email accounts belonging to US government agencies.
The attack was first reported by Microsoft in July, in an article that left some important questions unanswered. The original article revealed that China-based hackers—dubbed Storm-0558 in accordance with Microsoft's new threat actor naming scheme—had gained access to email accounts "affecting approximately 25 organizations in the public cloud including government agencies as well as related consumer accounts of individuals likely associated with these organizations." Ars Technica describes those government accounts as "belonging to the US Departments of State and Commerce."
The accounts, Microsoft says, were accessed using forged authentication tokens:
Microsoft investigations determined that Storm-0558 gained access to customer email accounts using Outlook Web Access in Exchange Online (OWA) and Outlook.com by forging authentication tokens to access user email.
Authentication tokens are the computer equivalent of the wristband you get at a concert, or the lanyard you're issued at a cybersecurity conference. You show your ticket once, and in return you're given a wrist band or lanyard that you have to keep on display at all times to show you belong.
In the case of Outlook.com, your username and password are the ticket that gets you through the door, and the authentication token is the lanyard you're given that says you're allowed to be there.
An attacker with your authentication token can pretend to be you without knowing your password, so tokens need to be hard to forge. To ensure they are, they're backed by cryptography that hinges on a private cryptographic key that has to be kept very, very, very secure indeed.
The original Microsoft article noted that Storm-0558 "used an acquired [Microsoft account] key to forge tokens to access OWA and Outlook.com" but, crucially, did not say how the attackers were able to get at a key that would have been held in something like a real life version of the Fort Knox-like production environment, described by Microsoft as follows:
Microsoft maintains a highly isolated and restricted production environment. Controls for Microsoft employee access to production infrastructure include background checks, dedicated accounts, secure access workstations, and multi-factor authentication using hardware token devices. Controls in this environment also prevent the use of email, conferencing, web research and other collaboration tools which can lead to common account compromise vectors such as malware infections or phishing, as well as restricting access to systems and data using Just in Time and Just Enough Access policies.
Microsoft provides an answer—what it calls the "most probable mechanism"—to the riddle of how attackers breached all that protection, in its September 6 update.
It starts with a crash in a consumer signing system in 2021. A "crash dump" of the system, which included the key, was moved from the highly secure production environment into Microsoft's debugging environment so that the cause of the crash could be investigated.
At some point after this occurred, Storm-0558 compromised a Microsoft engineer’s corporate account. That account had access to the debugging environment containing the crash dump with the key, and Storm-0558 was able to retrieve it from there without having to tackle the extensive security of the production environment.
Crucially, mechanisms that should have redacted the key material during the crash dump failed.
As you'd expect, Microsoft explains that it's gone to great pains to beef up its security as a result, with numerous improvements in the way it handles and detects key materials, among other improvements.
The attack is a great example of just how advanced and persistent Advanced Persistent Threat (APT) actors can be, and why what Microsoft calls an "'assume breach' mindset" is so important in modern security. Computer networks are complicated and constantly in flux, and any organization can be breached. Assume you have been breached and monitor your environment accordingly.
Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.