Cyber Espionage Attack Targeted U.S. Government Email Accounts
Email accounts at approximately 25 organizations—including U.S. government agencies—were affected by a targeted cyberattack during the past month.
A hacking group based in China (tracked by Microsoft as Storm-0558) primarily targets government agencies in Western Europe, and it focuses on espionage, data theft, and credential access, according to a Microsoft security blog.
Microsoft was tipped off about anomalous email activity on 16 June, and its subsequent investigation found that Storm-0558 gained access to key email accounts beginning on 15 May by using forged authentication tokens to access user email. Microsoft said that it has completed mitigation of this attack for all customers, and it is working closely with organizations affected by the attack.
The attack was carefully targeted, and the hackers went after specific accounts—aiming for intelligence, rather than enormous amounts of data, a person briefed on the intrusion told The New York Times. A U.S. National Security spokesperson said no classified networks were affected, but an assessment of what and how much information was taken continues.
“The Senate Intelligence Committee is closely monitoring what appears to be a significant cybersecurity breach by Chinese intelligence,” wrote U.S. Senator Mark Warner (D-VA), chairman of the Senate Select Committee on Intelligence, in a press statement. “It’s clear that the [People’s Republic of China (PRC)] is steadily improving its cyber collection capabilities directed against the U.S. and our allies. Close coordination between the U.S. government and the private sector will be critical to countering this threat.”
Microsoft assessed that Storm-0558 “is focused on espionage, such as gaining access to email systems for intelligence collection. This type of espionage-motivated adversary seeks to abuse credentials and gain access to data residing in sensitive systems,” wrote Charlie Bell, executive vice president for Microsoft Security, in a blog. This type of adversary is well-resourced and will seek to compromise both business and person accounts associated with targeted organizations, “since it only takes one successfully compromised account login to gain persistent access, exfiltrate information, and achieve espionage objectives,” Bell wrote.
Email-based compromise is a common attack vector for malicious cyber actors—whether they are seeking specific information or broader system access they can use for additional attacks or disruptions in the future. Credential misuse is also common—49 percent of the data breaches recorded in the 2023 Verizon Data Breach Investigations Report (DBIR) involved credentials, and stolen credentials were the primary way attackers accessed organizations.
Overall, 74 percent of the breaches analyzed in the report included the human element (errors, privilege misuse, stolen credentials, and social engineering). https://t.co/zs0F3YJQ6b
— Security Management (@SecMgmtMag) June 18, 2023
The DBIR reported that the government and public administration sector “continues to be targeted by financially motivated external threat actors as well as spying nation-states that are interested in what their rivals are doing.”
In addition, “this sector continues to make top scores in espionage-motivated breaches. It is also rich in multiple actor breaches. External and partner or internal actors working together to steal data is not the kind of international cooperation we want to see fostered,” the report noted in its executive summary.
In its annual threat assessment released in March 2023, the U.S. Office of the Director of National Intelligence (ODNI) categorized Chinese espionage as a major threat the United States will continue to face.
“China probably currently represents the broadest, most active, and persistent cyber espionage threat to U.S. government and private-sector networks,” according to the assessment. “China's cyber pursuits and its industry's export of related technologies increase the threats of aggressive cyber operations against the U.S. homeland, suppression of the free flow of information in cyberspace—such as U.S. web content—that Beijing views as threatening to the CCP’s hold on power, and the expansion of technology-driven authoritarianism globally.”