Hackers based in China nab email data from US government agencies

A Chinese hacking group focused on espionage utilized a flaw in a Microsoft authentication system to target the U.S. government.
People walk past a screen showing a Chinese national flag at a shopping mall in Beijing on May 26, 2023. (Photo by Jade Gao / AFP)

A sophisticated Chinese hacking operation gained access to email accounts associated with roughly two dozen organizations that included a number of U.S. government entities and the private email accounts of individuals associated with the targeted organizations, Microsoft and U.S. government officials said.

“Last month, U.S. government safeguards identified an intrusion in Microsoft’s cloud security, which affected unclassified systems,” U.S. National Security Council Spokesperson Adam Hodge said in a statement. “Officials immediately contacted Microsoft to find the source and vulnerability in their cloud service. We continue to hold the procurement providers of the U.S. Government to a high security threshold.”

Microsoft described the breach in a blog post late Tuesday and said that a customer — whom it did not identify — informed the company about the hacking activity on June 16. Microsoft tracks the hacking group in question as Storm-0558, which the firm’s researchers believe is based in China and primarily targets government agencies in Western Europe with a focus on espionage, data theft and credential access.

While the exact scope of the breach remains unclear, Microsoft researchers say the hackers “gained access to email data” on May 15, 2023 — a month before Microsoft was tipped off to the activity — by using forged authentication tokens using “an acquired Microsoft account (MSA) consumer signing key.”


How the attackers secured access to that key, which they then used to bypass security protections, will be a key focus for investigators in coming days. Such a key may have been obtained from Microsoft’s systems — a theory proposed by the computer security researcher Kevin Beaumont on Mastodon. The acquired key “must have come from inside Microsoft’s internal network,” according to Beaumont, who formerly worked as a senior threat intelligence analyst at Microsoft.

A senior CISA official told reporters Wednesday that Microsoft determined that roughly 25 organizations were impacted globally, that “not all of those organizations were based in the United States” and put the total number of affected U.S. organizations “in the single digits.”

“This appears to have been a very targeted, surgical campaign that was not seeking the breadth of access that we have seen in other campaigns, such as SolarWinds,” the official said, referring to the sprawling Russian hacking campaign that infiltrated multiple government and corporate networks.

Microsoft said Tuesday that it has completed mitigating the attack, notified affected customers and that the attackers are no longer able to use forged tokens to access targeted email accounts.

So far, it remains unclear what the more targeted Chinese operation obtained, but the hackers successfully exfiltrated what a joint advisory from the FBI and Cybersecurity and Infrastructure Security Agency described as “unclassified Exchange Online Outlook data.” The activity was detected because of unexpected actions reflected in audit logs, the advisory added.


In a tweet, CISA Director Jen Easterly described the campaign as the latest example of how “malicious cyber actors continue to develop new methods to target sensitive info.”

The fallout of the operation exposed a central tension in the Biden administration’s approach to cybersecurity and making computer products secure by default. The White House has urged both government and private sector entities to transition their operations to the cloud in the belief that centralized, more sophisticated cloud providers can provide better security and logging of security events — a feature that often doesn’t come standard and means that customers have to pay more for better security.

In Wednesday’s advisory, U.S. security officials encouraged organizations to enable “premium” logging, which is a paid add-on to the targeted Microsoft product. But that approach — in which robust security features don’t come standard — “is not yielding the sort of security outcomes that we seek,” a senior CISA official told reporters Wednesday.

“Every organization using a technology service like Microsoft 365 should have access to logging and other security data out of the box,” the official said, adding that the agency has been working with Microsoft in recent months to determine the types of logs that should be made available without additional cost. The official said to expect an announcement soon that additional log-types will soon be made available for non-premium licenses.

A representative for Microsoft did not respond to a question about any upcoming announcement with respect to logging.


“If all of your upsell is the stuff organizations need to secure themselves, then you have a real problem in your environment,” Dave Aitel, a prominent cybersecurity researcher formerly of the NSA, told CyberScoop Wednesday. “This is a big issue with secure by default because obviously your biggest partners are soaking their customers using security, and even the U.S. government may not be able to change that.”

Improving the security of computing systems is more important than ever as hacking operations grow more sophisticated and Chinese hackers shift their approach.

The operation revealed this week shows that Chinese cyber espionage “has come a long way from the smash-and-grab tactics many of us are familiar with,” said John Hultquist, the chief analyst at security firm Mandiant, which is owned by Google. “They have transformed their capability from one that was dominated by broad, loud campaigns that were far easier to detect.”

“The reality is that we are facing a more sophisticated adversary than ever, and we’ll have to work much harder to keep up with them,” Hultquist said.

The Chinese operation targeted email accounts belonging to State Department employees, and the department first detected the operation, according to CNN. “The Department of State detected anomalous activity, took immediate steps to secure our systems, and will continue to closely monitor and quickly respond to any further activity,” a spokesperson for the department said in a statement.  


Sen. Mark Warner, D-Va., said in a statement Wednesday that the Senate Intelligence Committee is “closely monitoring what appears to be a significant cybersecurity breach by Chinese intelligence. It’s clear that the PRC is steadily improving its cyber collection capabilities directed against the U.S. and our allies.”

U.S. officials stress that no classified information was stolen during the operation, but the operation has the potential to be quite damaging nonetheless, said Mark Forman, an executive with Dynamic Integrated Services and the first federal chief information officer.

“We’re not operating in a data collection environment for just data mining, we’re operating in a much different environment after five or six years of these AI tools really becoming advanced.”

Data that reflects even mundane inter-agency interactions can be used to train large language models to better mimic and understand U.S. government agencies.”If you’re merely stealing content, you’re getting informed about past activities,” Forman said. “If you’re stealing interactions, you’re understanding how an agency works. And that’s a lot more valuable.”

The Chinese embassy in Washington, D.C., did not return a request from CyberScoop for comment. China’s Foreign Ministry spokesperson Wang Wenbin told the Wall Street Journal that “the U.S. is the world’s biggest hacking empire and global cyber thief.”


Elias Groll contributed reporting to this article.

Updated, July 12, 2023: This story has been updated to include comments from a senior CISA official, the Chinese Foreign Ministry spokesperson, Kevin Beaumont, John Hultquist, Dave Aitel and Mark Forman.

AJ Vicens

Written by AJ Vicens

AJ covers nation-state threats and cybercrime. He was previously a reporter at Mother Jones. Get in touch via Signal/WhatsApp: (810-206-9411).

Latest Podcasts