Microsoft Thwarts Chinese Cyber Attack Targeting Western European Governments
Microsoft on Tuesday revealed that it repelled a cyber attack staged by a Chinese nation-state actor targeting two dozen organizations, some of which include government agencies, in a cyber espionage campaign designed to acquire confidential data.
The attacks, which commenced on May 15, 2023, entailed access to email accounts affecting approximately 25 entities and a small number of related individual consumer accounts.
The tech giant attributed the campaign to Storm-0558, describing it as a nation-state activity group based out of China that primarily singles out government agencies in Western Europe.
“They focus on espionage, data theft, and credential access,” Microsoft said. “They are also known to use custom malware that Microsoft tracks as Cigril and Bling, for credential access.”
The breach is said to have been detected a month later on June 16, 2023, after an unidentified customer reported the anomalous email activity to Microsoft.
Microsoft said it notified all targeted or compromised organizations directly via their tenant admins. It did not name the organizations and agencies affected and the number of accounts that may have been hacked.
The access to customer email accounts, per Redmond, was facilitated through Outlook Web Access in Exchange Online (OWA) and Outlook.com by forging authentication tokens.
“The actor used an acquired MSA key to forge tokens to access OWA and Outlook.com,” it explained. “MSA (consumer) keys and Azure AD (enterprise) keys are issued and managed from separate systems and should only be valid for their respective systems.”
“The actor exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail.”
Worried about insider threats? We’ve got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.
Join the WebinarThere is no evidence that the threat actor used Azure AD keys or any other MSA keys to carry out the attacks. Microsoft has since blocked the usage of tokens signed with the acquired MSA key in OWA to mitigate the attack.
“This type of espionage-motivated adversary seeks to abuse credentials and gain access to data residing in sensitive systems,” Charlie Bell, executive vice president of Microsoft Security, said.
The disclosure comes more than a month after Microsoft exposed critical infrastructure attacks mounted by a Chinese adversarial collective called Volt Typhoon (aka Bronze Silhouette or Vanguard Panda) in the U.S.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
