Microsoft has countered a roundabout cyberattack by Storm-0558, a China-based hacking group. Known for focusing on espionage, data theft, and credential access, this group primarily targets government agencies in Western Europe. The recent attack, which began on May 15, 2023, used a stolen Microsoft key to target and infiltrate email accounts. By June 16, 2023, an investigation was launched based on customer reports of unusual email activity. The attack impacted around 25 organizations.
Table of Contents
An Overview of the Cyberattack
Storm-0558 used forged authentication tokens to access email accounts affecting around 25 public cloud organizations, including government agencies and related consumer accounts. They utilized a Microsoft account (MSA) consumer signing key to carry out this attack. Customers are not required to act, as Microsoft has proactively contacted targeted or compromised organizations with essential information for investigation and response.
Microsoft’s Response to the Stolen Key Incident
Microsoft has undertaken several steps to mitigate these issues. That included blocking the usage of tokens signed with the compromised MSA key, replacing the key to prevent the threat actor from forging new tokens, and moving the MSA signing keys to a more secure key store. They’ve also increased the isolation of the systems, improved monitoring, and have seen indications that the threat actor’s activity related to this incident has been stopped.
They’ve also partnered with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (DHS CISA) and other agencies to protect the affected customers. Storm-0558’s activities continue to be monitored by Microsoft, and they’ll continue to take preventive measures to avoid such instances.
Analyzing the Attack Techniques
Microsoft outlined the attack strategy used by the threat actors. We’ve summarized that information below:
Getting Access Tokens With the Stolen Microsoft Key
Storm-0558 acquired an inactive MSA consumer signing key and used it to create false authentication tokens. Those tokens are used to prove the identity of the entities requesting access to resources, such as an email service. If an attacker can get a hold of a private signing key, they can create these tokens, which the system will then trust. They used this strategy to access protected email services.
How They Got Unauthorized Access
Once the hackers provided the fake tokens, they got into the system that handles emails (the OWA API). From there, they were able to access Exchange Online, which is a part of Microsoft’s email and calendar service, through a part of the system called the GetAccessTokenForResource API. Because of a mistake in the design of this system, they could continue to get new authorization tokens to retrieve emails from the OWA system.
The Tools They Used
Storm-0558 used specific computer languages called PowerShell and Python to make special requests to the email service. Using their access tokens, they could gather data from emails such as email messages, attachments, and folder names. To hide their actions and make it harder to follow their trail, they sent their internet requests through services called Tor proxies and SOCKS5 proxy servers, changing their online identities (User-Agents) multiple times.
How They Set Up Their Systems
They used a specialized network system known as SoftEther proxy software. That made it harder for people to find them and track their actions. They used specific servers in this system to repeat their token use and interact with Microsoft’s services to make their efforts more effective. They also created their own control center on the internet to verify their false identity, which was later used to discover their malicious activity.
What They Did Next
After successfully hacking into the systems, they were limited to accessing and stealing email data from specific users. The key they used to make authorization requests during this attack made the attempts more noticeable. In turn, that made it easier for Microsoft’s teams to follow what they were doing across both business and personal user systems.
Microsoft Threat Intelligence suggests that Storm-0558 is a group with high technical experience. They are keenly aware of their target’s environment, policies, and procedures, indicating their knowledge of authentication techniques and applications. Historically, Storm-0558 has shown interest in targeting media companies, think tanks, and telecommunications. Their primary objective is to gain unauthorized access to employees’ email accounts in targeted organizations.
Safeguarding Future Microsoft Keys
In response to this attack, Microsoft has taken considerable steps to improve its system’s security. They’ve substantially upgraded how they manage, create, and distribute these MSA keys. In addition, they are now more rigorously monitoring their systems and have transferred the keys to a more secure storage location. Microsoft plans to continue investigating this issue, maintaining ongoing surveillance of its systems, and will continue to make improvements to prevent future cyberattacks.
Boosting User Security Following Microsoft Key Breach
IT companies can add extra layers of protection to a business’s cybersecurity, going beyond what Microsoft already does. One way to do this is by setting up better cyber defense systems. Strategies like a “zero-trust” model can delay access requests. It treats every request as a threat, letting the system check if it’s safe before approving it. If that gets bypassed, additional layers can help slow down an attack and make it easier to detect early on.
In addition, IT companies can make things safer for individual users. This could involve adding more steps before a user can log in, such as needing a password and a code sent to their phone. That also means ensuring employees only have access to what they need, as too much access could lead to hackers stealing data that shouldn’t have been viewable in the first place. Routinely auditing IT infrastructure and providing awareness training can also go a long way in preventing cyberattacks.