In a recent blog post, Microsoft finally revealed the details of how a China-backed hacking group was able to steal one of its email signing keys. This key provided unauthorized access to the email accounts of U.S. government officials hosted by Microsoft. While this disclosure solves one mystery, there are still many unknown details.
Key Takeaway
- Microsoft has revealed how a China-backed hacking group stole one of its email signing keys, granting unauthorized access to U.S. government email accounts.
- The theft was a result of multiple issues, including a crash in the signing system, failed detection of the key, and compromised user credentials.
- Cybersecurity remains a complex challenge, even for large organizations with extensive resources.
- The focus should be on enhancing network security policies and defenses to prevent future breaches.
Recapping the Hack
Back in July, Microsoft disclosed that hackers, known as Storm-0558 and believed to be backed by China, had obtained an email signing key used to secure consumer email accounts like Outlook.com. This key allowed the hackers to breach both personal and enterprise email accounts of government officials. The targeted espionage campaign aimed at accessing unclassified emails of U.S. government officials, including high-profile figures such as the U.S. Commerce Secretary and the U.S. Ambassador to China.
The Unveiling of the Hack
Microsoft’s blog post explained the five separate issues that led to the theft of the consumer email signing key. The first issue occurred in April 2021 when a system used as part of the signing process crashed, creating a snapshot image for analysis. This snapshot inadvertently included a copy of the key, but Microsoft’s systems failed to detect it. The snapshot was then moved to a debugging environment on Microsoft’s corporate network, where the hackers were able to compromise a Microsoft engineer’s corporate account. While there is no specific evidence of the key’s exfiltration, this was deemed the most probable method by which the key was stolen.
Moreover, Microsoft’s email systems were not properly performing key validation, allowing the consumer signing key to grant access to enterprise and corporate email accounts. This meant that Microsoft’s email system accepted requests for enterprise email using a security token signed with the consumer key.
Mystery Remains
Although Microsoft has confirmed that the consumer signing key was most likely stolen from its own systems, the exact method used by the intruders to hack into Microsoft is still unknown. According to Microsoft, the engineer’s account was compromised using “token-stealing malware.” However, further details on the compromise are not provided.
The focus on an individual engineer seems unfair as the real culprits are the network security policies that failed to block the intruder. This breach serves as a reminder that even large corporations like Microsoft face significant cybersecurity challenges. It highlights the fact that cybercriminals only need to be successful once to cause substantial damage.
