Chinese hackers tracked as Storm-0558 have exploited a flaw in Microsoft’s cloud email service, compromising approximately 25 email accounts of U.S. government employees, the tech giant confirmed. The compromised accounts span government agencies and related consumer accounts linked to individuals within these organizations.
The Unveiling of Storm-0558
Storm-0558, an emerging hacking group from China, is closely tracked by Microsoft. The nickname “Storm” is used by Microsoft to keep tabs on new or developing hacking groups. However, Microsoft did not reveal the specific government agencies targeted by Storm-0558.
Adam Hodge, a spokesperson for the White House’s National Security Council, confirmed to TechCrunch that U.S. government agencies were impacted. “Last month, U.S. government safeguards identified an intrusion in Microsoft’s cloud security, which affected unclassified systems,” he said.
High-Level Infiltration
The State Department is reported to be one of the several federal agencies compromised, according to The Wall Street Journal. State alerted Microsoft to the breach, reports CNN. However, the number of impacted government agencies remains undisclosed.
Deep-Dive Into The Attack
Microsoft’s investigation revealed that the hackers accessed email accounts through Outlook Web Access in Exchange Online (OWA) and Outlook.com. They forged authentication tokens to gain user account access by leveraging an acquired Microsoft consumer signing key. They exploited a token validation issue to impersonate Azure AD users, thereby gaining access to enterprise email accounts.
Undetected Activity and Espionage Intent
The activities of Storm-0558 went undetected for about a month until customers flagged anomalous mail activity. “We assess this adversary is focused on espionage, such as gaining access to email systems for intelligence collection,” said Charlie Bell, Microsoft’s top cybersecurity executive.
Microsoft reported that the attack has been successfully mitigated and that Storm-0558 no longer has access to the compromised accounts. However, it remains unclear whether any sensitive data was exfiltrated during the month-long period that the attackers had access.
Government Response
The U.S. cybersecurity agency CISA confirmed that the attackers accessed unclassified email data. During a briefing, a senior FBI official described the intrusion as a “targeted campaign,” and mentioned that the number of impacted government agencies was in the “single digits,” without revealing the actual number or the names of the affected agencies.
The extent of the damage remains undisclosed, but a senior CISA official noted that a government-backed actor — not yet attributed by the U.S. government to China — exfiltrated a “limited amount” of Exchange Online data.
CISA and the FBI are now encouraging any organization that detects unusual activity in Microsoft 365 to report it to the agencies.
