Microsoft reports that Chinese hackers were able to gain access to select high-level US government email accounts via forged tokens, in yet another case that begs for implementation of MFA and additional security layers to protect sensitive communications.
The Chinese hackers reportedly used OWA and Outlook.com to access the government email accounts via web browsers, something that might not have been possible if hardware keys or even a text message 2FA were set up. It is still unclear exactly how bad the compromise was (as an internal investigation continues), but officials have said that multiple federal agencies were hit and that the Commerce Secretary was one of the victims.
Federal government email accounts once again hit by foreign espionage
Microsoft assesses with “moderate confidence” that the culprit behind the latest assault on government email accounts is Storm-0558, which is attributed to Chinese control based on a number of factors: tools and methods used, operating during work day hours in China, and some overlap in activities with the notorious Zirconium group. Storm-0558 has been active for some years now and is a frequent meddler in the affairs of Taiwan and Western Europe among other targets.
Though Russia and others continue to have success in their cyber attacks on the US, Chinese hackers have become a top priority for the government given the size and scope of Beijing’s espionage programs. The country has also not been shy about spying on both government and private industry, and was among the earliest to form specialized cyber groups and begin incursions of this sort with the dawn of the public internet.
It is unclear whether the Chinese hackers employed a “zero day” of some sort in this attack, but they were definitely very selective about the government email accounts they wanted to target and appeared to be trying to avoid attention for as long as possible (another element that points strongly to state-backed espionage).
Chinese hackers have become a government priority
Little has been revealed to the public about the government email addresses that were compromised, save that the Chinese hackers made it into Commerce Secretary Gina Raimondo’s inbox and at least made attempts on “several” members of the House of Representatives.
Officials also said that only unclassified systems were impacted by the breach.
The breach window appears to have been from about mid-May to July 4. It was first detected in mid-June at the State Department, and Microsoft was quickly looped in. However, not all of the impacted departments may have been identified and notified right away. The Chinese hackers had at least one month of access to government email accounts before action was taken against them. Microsoft says that the forged consumer signing key used to create the authentication tokens that opened up the accounts has been replaced, and that the malicious tokens have been identified and neutralized.
While a month plus of unfettered access might seem like a major security failing, in relative terms it is an improvement for government response. The SolarWinds SUNBURST breach window lasted for months, and the Sakula malware used by Chinese hackers to penetrate the Office of Personnel Management in 2015 was thought to have been in use since 2012 before it was identified.