Microsoft announced that it recently blocked a hacker group dubbed Storm-0558, which was accessing the email accounts of around 25 organizations, including government agencies.
How hackers gained access to email accounts
In a blog post, Microsoft said it began investigating unusual activity in some email accounts on June 16 after being notified by customers.
The investigation found that starting May 15, the hacker group exploited a vulnerability to forge authentication tokens and gain access to companies’ Microsoft 365 accounts.
Using a compromised Microsoft consumer account signing key, the hackers were able to impersonate the user and access email accounts through services such as Outlook Web Access and Outlook.com.
The federal agency has identified suspicious activity in its Microsoft 365 logs, according to a recent joint advisory from the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI.
This led to the discovery that sophisticated, persistent threat actors had accessed and filtered out data from some Exchange Online Outlook accounts.
What is Storm-0558?
According to Microsoft’s Actor Profile of Storm-0558, the description of the group is as follows:
Storm-0558 (DEV-0558) is a nation-state activity group based in China. They focus on espionage, data theft and access to credentials. They are also known to use custom malware to access credentials, which Microsoft tracks as Cigril and Bling.
How the problem was solved
CISA and the FBI have advised organizations using Exchange Online to implement enhanced monitoring and logging to detect similar attacks.
Their recommendations include enabling advanced audit logging capabilities and gaining insight into standard cloud traffic patterns.
Microsoft claims to have completely solved the problem and blocked the hackers’ access. The company is working with affected customers and has notified them prior to the release.
The company said it found no evidence the hackers were inside the company’s systems.
Mitigating future cyber attacks
This latest activity comes at a time when cyberattacks against businesses around the world continue to rise.
US Senator Mark R. Warner, chairman of the Senate Intelligence Committee, expressed concern over reports of the recent cyberattack and what it takes to prevent future incidents.
“The Senate Intelligence Committee is closely monitoring what appears to be a major cybersecurity breach by Chinese intelligence. It is clear that the People’s Republic of China is steadily improving its cyber collection capabilities against the US and our allies. Close coordination between the US government and the private sector will be critical to countering this threat.”
Microsoft plans to continue improving security around account keys and tokens to stay ahead of evolving cyber risks.
It stressed the need for ongoing collaboration and transparency to strengthen defenses across the tech industry against sophisticated hacking campaigns.
Featured image: Koshiro K/Shutterstock