Chinese cyberspies exploited a fundamental gap in Microsoft's cloud, enabling them to conduct a targeted hack of unclassified U.S. email accounts — a troubling vulnerability officials said was discovered by the U.S. government.
The security problem was discovered last month after the U.S. government identified a hole in Microsoft's cloud security, which affected unclassified systems, according to the White House.
"Officials immediately contacted Microsoft to find the source and vulnerability in their cloud service," National Security Council spokesman Adam Hodges said in a statement to The Washington Post. "We continue to hold the procurement providers of the U.S. government to a high security threshold."
The number of U.S. email accounts believed to be affected so far is limited, and the attack appeared targeted, though an FBI investigation is ongoing, said a person familiar with the matter who spoke on the condition of anonymity because of the matter's sensitivity. Pentagon, intelligence community and military email accounts did not appear to be affected, the person said.
Microsoft disclosed late Tuesday that it had mitigated an attack by "a China-based threat actor" that primarily targets government agencies in Western Europe and focuses on espionage and data theft.
The Redmond, Wash.-based tech giant said it began an investigation after being notified in mid-June. The probe revealed that the hackers, whom Microsoft is calling Storm-0558, gained access to email accounts affecting about 25 organizations, including government agencies.
They did this by using forged authentication tokens to access user email using an acquired Microsoft account consumer signing key, according to a blog written by Charlie Bell, Microsoft security executive vice president.
Microsoft has completed its mitigation of the attack for all customers, Bell added in the blog. U.S. officials also say they believe the incident has been contained. "There are some hard questions they have to answer," though, said the person familiar with the matter.
This is not the first time Microsoft, the world's largest software provider, has been found to have significant vulnerabilities in its products and services.
In 2020, Russian hackers breached U.S. government email accounts by exploiting software made by a Texas company called SolarWinds. Those hackers then exploited weaknesses in Microsoft's system for authenticating users, using tokens that would improperly give them the same access as an administrator.
Shortly after the SolarWinds breaches were discovered, Microsoft found that its email servers were also subject to widespread exploitation, after Chinese hackers discovered a separate flaw.
"This [latest] attack used a stolen key that Microsoft's design failed to properly validate," said Jason Kikta, chief information security officer at Automox and former head of private sector partnerships at U.S. Cyber Command. "The inability to do proper validation for authentication is a habit, not an anomaly."
Further underscoring Microsoft's continuing security woes, the company confirmed Tuesday that its validation procedure had been manipulated to digitally sign dozens of pieces of software. And in yet a third incident, it warned that Russian actors it blames for espionage and financial crimes were exploiting a previously unknown vulnerability in its Office program.
Microsoft suggested workarounds that could be applied and touted its Defender security software as preventing the attacks but said it did not yet have a patch for the actual flaw.
After the SolarWinds hack, Microsoft President Brad Smith testified to the Senate that its code had not been vulnerable, instead blaming customers for common configuration mistakes and poor controls, including cases "where the keys to the safe and the car were left out in the open."
Homeland Security officials complained that basic security tools, such as the ability to review logs, were available only at more expensive tiers of service.
The U.S. government has strengthened cybersecurity rules for vendors whose software and hardware it uses. Government officials want to know whether the rules were not followed or whether they need to be adjusted.
— Ellen Nakashima, Joseph Menn, and Shane Harris, The Washington Post