More details are now available about how the May-June breach of government Outlook email accounts by Chinese hackers unfolded, and Microsoft says that the issue began with a signing key being errantly included in a data dump that was sent to the company’s internet-facing network for debugging.
Microsoft believes that an engineer with access to the debugging environment had their account breached, but this is just a theory as the company apparently does not keep internal logs for a long enough period to go back and find out exactly what happened. The report has thus satisfied some curiosity about what exactly happened, but has also raised some fresh questions about Microsoft’s preparedness and security posture.
Signing key’s odd journey to the corporate network based on conjecture
The Microsoft report reveals several security oversights that might have acted as chokepoints to stop the Chinese hackers had they been functioning as intended. The stolen signing key would not have gotten the attackers very far (or at least not into Outlook email accounts) if a signature validation API had not been poorly configured and set to accept both consumer and enterprise keys for any authorization request made of it. Media reports also have already noted that Microsoft offers a security logging feature that would have made the incursions plain upon inspection, but that it is only available at a paid tier that most of its users do not subscribe to (including a number of the US federal agencies that were hit).
We also still do not know how the Microsoft engineer was originally compromised by the Chinese hackers. Microsoft only says that it is the most reasonable theory, given that this may have taken place sometime in 2021 or 2022. All that is known for sure is that Microsoft’s security logs apparently do not go far back enough to determine what happened.
This is likely not the end of the story, however; the U.S. Cyber Safety Review Board (CSRB) will almost certainly be seeking better answers as part of its ongoing investigation of cloud environment security. While this investigation spans numerous service providers, Microsoft’s signing key lapse over the summer appears to have been the direct impetus for it and an ongoing central focus.
At least a month of access for Chinese hackers
The one bright spot found in Microsoft’s update is that it appears the Chinese hackers did not get away with any classified information; the Outlook accounts they broke into are restricted to non-sensitive communications.
The breach also appears to ultimately be owed to a one-off “race condition” error that is not likely to be repeated. However, that does not get Microsoft entirely off the hook in terms of questions about its security practices and the tools it provides to its customers.
It would be very helpful to know exactly when the engineer was compromised and the signing key discovered by the Chinese hackers. Microsoft has only disclosed that the signing key moved to the public-facing internet in April 2021, and that the breach might have happened anytime after that. The company appears to have written the incident off and does not plan to investigate further unless pushed to by regulators.
The report also offered little new information about the mysterious “Storm-0558” group allegedly responsible for the breach, nor did it shed new light on other entities the Chinese hackers compromised or specific materials they were able to steal. More information on Storm-0558 would be quite helpful to potential targets, as the group has been noted for its creative approaches and careful, seemingly well-funded reconnaissance of targets.
In the meantime, the incident does serve as a timely reminder to all organizations to ensure that tokens and keys are being rotated regularly.