Microsoft announced that it recently blocked a group of hackers, which it labeled Storm-0558, that accessed email accounts belonging to around 25 organizations, including government agencies.
How Hackers Gained Access To Email Accounts
In a blog post, Microsoft said it began investigating abnormal activity in some email accounts on June 16 after being notified by customers.
Its investigation revealed that beginning May 15, the hacking group exploited a vulnerability to forge authentication tokens and gain entry into organizations’ Microsoft 365 accounts.
Using a compromised Microsoft consumer account signing key, the hackers could impersonate users and access email accounts through services like Outlook Web Access and Outlook.com.
According to a recent joint advisory from the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI, the federal agency observed suspicious activity in its Microsoft 365 logs.
This led to the discovery that advanced persistent threat actors had accessed and exfiltrated data from some Exchange Online Outlook accounts.
What Is Storm-0558?
According to Microsoft’s actor profile of Storm-0558, the description of the group is as follows:
Storm-0558 (DEV-0558) is a nation-state activity group based out of China. They focus on espionage, data theft, and credential access. They are also known to use custom malware that Microsoft tracks as Cigril and Bling, for credential access.
How The Issue Was Resolved
CISA and the FBI advised organizations using Exchange Online to implement enhanced monitoring and logging to detect similar attacks.
Their recommendations include enabling advanced audit logging features and gaining visibility into standard cloud traffic patterns.
Microsoft claims it has fully resolved the issue and blocked the hackers’ access. It is working with impacted customers and has notified them ahead of its public disclosure.
The company said it had found no evidence the hackers remained in any corporate systems.
Mitigating Future Cyberattacks
This latest activity comes as cyberattacks continue to increase against organizations worldwide.
United States Senator Mark R. Warner, Chairman of the Senate Select Committee on Intelligence, expressed concern over reports of the latest cyberattack and what would be needed to prevent future incidents.
“The Senate Intelligence Committee is closely monitoring what appears to be a significant cybersecurity breach by Chinese intelligence. It’s clear that the PRC is steadily improving its cyber collection capabilities directed against the U.S. and our allies. Close coordination between the U.S. government and the private sector will be critical to countering this threat.”
Microsoft plans to keep improving security around account keys and tokens to stay ahead of evolving cyber risks.
It emphasized the need for continued collaboration and transparency to strengthen defenses across the tech industry against sophisticated hacking campaigns.
Featured image: Koshiro K/Shutterstock