Microsoft reported on Tuesday that a Chinese cyberespionage group it tracks as Storm-0558 was recently spotted using forged authentication tokens to hack government email accounts.
According to the tech giant, the hackers gained access to the email accounts of roughly 25 organizations, including government agencies and consumer accounts belonging to individuals associated with the targeted entities.
Microsoft’s investigation showed that the threat actor forged authentication tokens to gain access to customer email accounts using Outlook Web Access in Exchange Online (OWA) and Outlook.com. Specifically, the attackers used a Microsoft account (MSA) consumer signing key to forge the tokens.
“MSA (consumer) keys and Azure AD (enterprise) keys are issued and managed from separate systems and should only be valid for their respective systems,” Microsoft explained. “The actor exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail. We have no indications that Azure AD keys or any other MSA keys were used by this actor.”
The company pointed out that only OWA and Outlook.com were targeted using forged authentication tokens.
Microsoft said it became aware of the attacks on June 16 and an investigation showed that the activity began one month earlier.
The company took steps to mitigate the attack, including blocking the usage of tokens signed with the compromised key and replacing the key itself. Impacted customers have been notified and provided with information needed for incident response.
Microsoft said the Storm-0558 group mainly targets government agencies in Western Europe, focusing on cyberespionage, data theft, and credential access.
However, CNN learned that unclassified US government email accounts have also been targeted by the Chinese cyberspies. The vulnerability that made the attack possible was reportedly discovered by the US government, specifically the State Department, which then notified Microsoft.
Microsoft also revealed on Tuesday, when it informed customers about over 130 new vulnerabilities, including several actively exploited zero-days, that a Russian threat actor known as Storm-0978 and RomCom had exploited a zero-day tracked as CVE-2023-36884 in attacks targeting defense and government entities in Europe and North America.
The group has been known for its cybercriminal activities, but it recently turned to espionage. It has been observed targeting NATO Summit guests and other entities supporting Ukraine.