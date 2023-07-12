Microsoft revealed on Tuesday that it has rejected a cyber attack carried out by some bad guy based in China who targeted two dozen organizations, some of which included government agencies, in a cyber-espionage campaign aimed at obtaining confidential data.

What does Microsoft know about this cyberattack

The attacks, which began on May 15, 2023, involved accessing email accounts involving around 25 entities and a small number of individual accounts of related consumers.

The tech giant attributed the cyberattack to Storm-0558, describing it as a cluster of nation-state assets based in China that mainly focuses on government agencies in Western Europe.

“They focus on espionage, data theft and credential access“, has declared Microsoft. “They are also known for using custom malware that Microsoft follows like Cigril and Bling, to access credentials“.

The breach is said to have been discovered a month later on June 16, 2023, after an unidentified customer reported anomalous email activity to the company.

Microsoft said it directly notified all targeted or compromised organizations through their administrators. It did not mention the organizations and agencies affected and the number of accounts that may have been hacked.

However, according to the Washington Post, cybercriminals also have violated several US unclassified email accounts.

Access to customers’ email accounts, according to Redmond, was facilitated through Outlook Web Access in Exchange Online (OWA) and Outlook.com by forging authentication tokens.

“The author used a key MSA extension acquired to forge tokens to access OWA and Outlook.com“explained Microsoft. “MSA (consumer) keys and Azure AD (enterprise) keys are issued and managed by separate systems and should only be valid for their respective systems“.

It was then added: “The author exploited a token validation issue to impersonate Azure AD users and gain access to company emails“.

What else leaked from this cyberattack from China?

There is no evidence that the initiator of this cyberattack used Azure AD keys or other MSA keys to carry out the attacks. Microsoft later blocked the use of tokens signed with the MSA key acquired in OWA to mitigate the attack.

“This type of espionage-motivated adversary seeks to abuse credentials and gain access to data on sensitive systems“, has declared Charlie Bell, executive vice president of Microsoft Security.

The disclosure comes more than a month after Microsoft revealed attacks on critical infrastructure carried out by a Chinese adversary collective called the Volt Typhoon (also known as the Bronze Silhouette or Vanguard Panda) targeting the United States.