Microsoft thinks it knows how Chinese hackers were able to breach US government accounts
An old crash dump was most likely to blame, Microsoft says
Microsoft’s investigation into the recent Storm-0558 cyberattack has concluded by claiming the company now knows how the Chinese threat actor accessed US government email accounts.
Two months ago, a Chinese hacking group known as Storm-0558 accessed more than two dozen Microsoft email accounts belonging to various organizations in the West, including several US government agencies.
Initial investigation showed that the hackers used a previously obtained Microsoft account (MSA) consumer key to forge tokens to access OWA and Outlook.com.
Correcting issues
What remained a mystery was how the hackers obtained that consumer key in the first place. Two months later, the Redmond giant’s in-depth investigation concluded, showing that the signing key was included in a consumer signing system crash dump, from April 2021.
“The crash dumps, which redact sensitive information, should not include the signing key,” Microsoft explained. “In this case, a race condition allowed the key to be present in the crash dump (this issue has been corrected). The key material’s presence in the crash dump was not detected by our systems (this issue has been corrected).”
The crash dump was then moved into the company’s debugging environment on the internet-connected corporate network. While this is consistent with the company’s standard debugging process, it made it possible for hackers to steal. In the months following the crash dump’s creation, a member of Storm-0558 obtained a Microsoft corporate account belonging to an engineer, and given that the account had access to the debugging environment, they managed to grab the crash dump from one of the endpoints.
“Due to log retention policies, we don’t have logs with specific evidence of this exfiltration by this actor, but this was the most probable mechanism by which the actor acquired the key,” Microsoft concluded.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
At the time of the breach, Microsoft revoked all valid MSA signing keys, effectively shutting the hackers out.
More security news from TechRadar Pro
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.