Emails from US government agencies compromised by cyberattack backed by China
An unnamed agency in the Federal Civilian Executive Branch (FCEB) of the United States in mid June 2023 detected unusual email activity. This discovery led to Microsoft uncovering a new espionage campaign connected to China, targeting approximately two dozen organisations.
In July, 2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) jointly released a cybersecurity advisory providing more details. According to the authorities, in June 2023, a Federal Civilian Executive Branch agency detected suspicious activity within their Microsoft 365 (M365) cloud environment.
Microsoft subsequently determined that advanced persistent threat (APT) actors had gained unauthorised access to and exfiltrated unclassified Exchange Online Outlook data.
Although the specific government agency involved was not disclosed. In addition to the State Department, the campaign targeted the Commerce Department, as well as the email accounts of a congressional staffer, a U.S. human rights advocate. The number of affected organisations in the U.S. is estimated to be less than ten.
The disclosure of these events followed Microsoft's attribution of the campaign to an emerging "China-based threat actor" named Storm-0558. This threat actor primarily focuses on government agencies in Western Europe and specialises in espionage and data theft. Evidence collected so far indicates that the malicious activity began a month before its detection.
China, however, has rejected the accusations, stating that the U.S. is "the world's biggest hacking empire and global cyber thief." China also insisted that the U.S. should clarify its own cyber attack activities and refrain from spreading disinformation to divert public attention.
The attack involved the use of forged authentication tokens by the cyberspies to gain access to customer email accounts through Outlook Web Access in Exchange Online (OWA) and Outlook.com. These tokens were forged using a Microsoft account (MSA) consumer signing key that the threat actors had acquired. The precise method through which they obtained the key remains unclear.
Two custom malware tools, namely Bling and Cigril, were employed by the threat actor Storm-0558. Cigril, described as a trojan, decrypts encrypted files and executes them directly from system memory to evade detection.
CISA revealed that the FCEB agency was able to identify the breach by utilising enhanced logging in Microsoft Purview Audit, specifically by monitoring the MailItemsAccessed mailbox-auditing action.
Furthermore, the agency recommends that organisations enable Purview Audit (Premium) logging, activate Microsoft 365 Unified Audit Logging (UAL), and ensure that logs are searchable by operators. These measures will facilitate the detection and investigation of similar activities, allowing organisations to distinguish them from normal behavior within the environment.
CISA and the FBI also emphasised the importance of organisations familiarising themselves with baseline patterns and identifying anomalies to better comprehend abnormal traffic. By doing so, organizations can enhance their ability to recognise and respond to such threats effectively.