When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Microsoft explains how a Chinese hacker group was able to access government email accounts

The Microsoft logo on a black tile background

In July, Microsoft revealed that a known Chinese hacker group labeled as Storm-0558 was able to access government email accounts in the United States and Western Europe. The company said the group "used an acquired MSA key to forge tokens to access OWA and Outlook.com." It added, "The actor exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail."

Microsoft launched an investigation on how the MSA (Microsoft Account) key was acquired and how a consumer key was able to access enterprise Outlook email accounts. This week, the company posted its findings on its Microsoft Security Responses Center website.

Microsoft says that an event that happened over two years ago was the cause of the group getting access to the MSA key:'

Our investigation found that a consumer signing system crash in April of 2021 resulted in a snapshot of the crashed process (“crash dump”). The crash dumps, which redact sensitive information, should not include the signing key. In this case, a race condition allowed the key to be present in the crash dump (this issue has been corrected). The key material’s presence in the crash dump was not detected by our systems.

Microsoft added that the crash dump data was then moved from "moved from the isolated production network into our debugging environment on the internet-connected corporate network." which was the standard procedure. However, a scan of the crash dump data did not detect the MSA key. Microsoft says this has also been fixed.

The company believes that Storm-0558 was able to get the MSA key from the crash dump data by compromising a corporate account from one of Microsoft's engineers. There is no direct evidence of this that points to a specific account being compromised but Microsoft does believe "this was the most probable mechanism by which the actor acquired the key."

Finally, the company believes Storm-0558 was able to duplicate the MSA key and turn it into one that was used to access enterprise email accounts because of an error in updating an API:

As part of a pre-existing library of documentation and helper APIs, Microsoft provided an API to help validate the signatures cryptographically but did not update these libraries to perform this scope validation automatically (this issue has been corrected). The mail systems were updated to use the common metadata endpoint in 2022. Developers in the mail system incorrectly assumed libraries performed complete validation and did not add the required issuer/scope validation. Thus, the mail system would accept a request for enterprise email using a security token signed with the consumer key (this issue has been corrected using the updated libraries).

After the hacking incident with government email accounts was discovered, Microsoft blocked the use of the MSA key, and also blocked usage of tokens issued with the key. In August, the US government's Cyber Safety Review Board (CSRB) announced it would conduct its own investigation into the incident. It will be a part of an overall examination of hackers going after cloud computing systems and companies in general.

Report a problem with article
BSOD showing unsupported processor
Next Article

Intel: Microsoft not wrong to deny taking any blame for Windows "unsupported CPU" BSODs

starfield
Previous Article

Samsung's 2020 Smart TVs in the US can now play Starfield and more with the Xbox app