Updated Jul 12, 2023 - Technology

Microsoft says China-based hackers infiltrated government email accounts

Microsoft logo on a phone

Photo: CFOTO/Future Publishing via Getty Images

Microsoft disclosed in a blog post Tuesday night that a China-based hacking group gained access to an unspecified number of email accounts across approximately 25 organizations.

Why it matters: Many of the accounts affected are tied to government agencies and individuals likely associated with those agencies, Microsoft said.

  • The Cybersecurity and Infrastructure Security Agency also said in an advisory released Wednesday that a U.S. federal civilian agency identified "suspicious activity" in its Microsoft 365 cloud environment last month, resulting in state-backed hackers exfiltrating unclassified information.
  • Spokespeople at the State Department and Department of Commerce confirmed Wednesday that their offices were victims in the espionage campaign. A senior CISA official told reporters during a briefing that the number of affected U.S. organizations is "in the single digits."
  • It remains unclear how much information, if any, was stolen as the investigation continues. However, the same CISA official confirmed the campaign was "limited to unclassified Outlook email mailboxes" and no classified systems or data was affected.

The big picture: The scale of this most recent China-backed espionage campaign is smaller than others in recent years — including another campaign that also targeted Microsoft and another that involved software company SolarWinds.

  • "This appears to have been a very targeted, surgical campaign that was not seeking the breadth of access that we have seen in other campaigns, such as SolarWinds," the senior CISA official said of the latest campaign.
  • However, the attack does come as the Biden administration pushes new standards for software companies that focus on making products more cyber-secure as they're developed.

What's happening: Microsoft believes the espionage group had access to some accounts for as long as a month before the company detected the breach.

  • Microsoft has attributed the attack to a group it calls Storm-0558, a cyber espionage group that's known primarily for targeting government agencies in Western Europe.
  • Storm-0558 gained access to certain Outlook email accounts using a stolen signing key to forge identity authentication tokens.
  • Microsoft said it has since mitigated the impact of the attack for its customers.

What they're saying: "The accountability starts right here at Microsoft," Charlie Bell, Microsoft Security's executive vice president, said in the blog post.

  • "We are continually self-evaluating, learning from incidents, and hardening our identity/access platforms to manage evolving risks around keys and tokens," he added.

Be smart: CISA released recommendations in its blog post for critical infrastructure organizations to better monitor and audit their Microsoft Exchange environments.

Editor's note: This story was updated with additional information.

Go deeper