Compromised Microsoft Engineer Allowed Chinese Email Hack, Company Says

A Microsoft engineer’s compromised corporate account allowed a China-based threat actor to gain access to email accounts as early as 2021 to spy on the U.S. State and Commerce departments, and other U.S. government agencies.

Chinese threat actor Storm-0558 gained access to email accounts affecting about 25 organizations in the public cloud, including government agencies and consumers. That’s according to a Microsoft blog detailing the results of its investigation.

In July, Microsoft reported a cyberattack that gave nation-state actors access to email accounts of high-ranking officials. The perpetrators gained access to Outlook Web Access in Exchange Online (OWA) and Outlook.com.

“Our investigation found that a consumer signing system crash in April of 2021 resulted in a snapshot of the crashed process (crash dump),” Microsoft said. “The crash dumps, which redact sensitive information, should not include the signing key. In this case, a race condition allowed the key to be present in the crash dump (this issue has been corrected). The key material’s presence in the crash dump was not detected by our systems (this issue has been corrected).”

This crash dump, believed at the time not to contain key material, was subsequently moved from the isolated production network into Microsoft’s debugging environment on the internet-connected corporate network. Its credential scanning methods did not detect its presence. Microsoft said this has been corrected.

Microsoft Engineer Successfully Compromised in April 2021

“After April 2021, when the key was leaked to the corporate environment in the crash dump, the Storm-0558 actor was able to successfully compromise a Microsoft engineer’s corporate account,” Microsoft said. “This account had access to the debugging environment containing the crash dump, which incorrectly contained the key. Due to log retention policies, we don’t have logs with specific evidence of this exfiltration by this actor, but this was the most probable mechanism by which the actor acquired the key.”

Microsoft listed the following improvements it has made since discovering this attacks:

• Identified and resolved the race condition that allowed the signing key to be present in crash dumps.
• Enhanced prevention, detection and response for key material erroneously included in crash dumps.
• Enhanced credential scanning to better detect the presence of a signing key in the debugging environment.
• Released enhanced libraries to automate key scope validation in authentication libraries, and clarified related documentation

Keeper Security’s Zane Bond

Zane Bond, head of product at Keeper Security, said this was an attack that used uncommon tactics with a significant amount of time invested into its success.

“The breach is catastrophic, without a doubt – highly sensitive government employee emails were compromised – this incident will likely amplify calls from the cybersecurity community for Microsoft to strengthen its cloud security,” he said. “However, this is a relatively rare incident. The strength of this well-resourced attacker allowed them to capitalize on analysis of a memory dump to obtain these highly sensitive keys. The average hacker would not have been able to accomplish this, and the average organization is not likely to be affected by this type of highly targeted attack.”