Breach Unleashed: Chinese Threat Actor Targets Western Government Agencies in Sophisticated Cyberespionage Campaign
Microsoft Indentifies Threat
Overt Operator
July 12, 2023
A potent cyberespionage campaign unfolded this spring as a Chinese threat actor, Storm-0558, infiltrated email accounts across 25 government agencies in Western Europe and the United States. Anonymous sources have revealed to CNN that the cyber onslaught compromised the U.S. State Department, with Capitol Hill also suspected to be in the crosshairs.
Microsoft has identified the China-based group Storm-0558 as the mastermind behind this advanced campaign, primarily targeted at Western governmental bodies. The group successfully penetrated a small number of officials' email accounts across several agencies, though the extent of sensitive information accessed remains unknown.
Storm-0558, notorious for its custom malwares Bling and Cigril, utilized a novel approach in this recent campaign. Cigril, a Trojan designed to encrypt files and execute them directly from system memory, helps evade detection, posing a significant threat. This time, the group managed to forge authentication tokens, impersonating authorized Azure Active Directory (AD) users, thereby gaining access to enterprise email accounts and potentially sensitive data contained within.
Microsoft's security team first noticed abnormal mail activity on June 16. Further investigation revealed that a broad cyberespionage campaign was underway, dating back to May 15.
Storm-0558's operation leveraged stolen Managed Service Account (MSA) consumer signing keys and exploited a validation issue. This flaw enabled the group to forge authentication tokens and masquerade as legitimate Azure AD users, accessing email accounts via Outlook.com and Exchange Online's Outlook Web Access client.
Microsoft has since rectified the MSA key issue, blocking any further intrusion from this threat actor. The Advanced Persistent Threat (APT) has reportedly compromised 25 government agencies mainly in Western Europe, along with personal accounts linked to these agencies.
Charlie Bell, executive vice president of Microsoft Security, noted in a blog post that these well-resourced adversaries don't distinguish between business or personal accounts tied to targeted organizations. "It only takes one successfully compromised account login to gain persistent access, exfiltrate information, and achieve espionage objectives," he said.
Microsoft claims to have contacted all known victims and asserts that no further action is required from its customers. Yet, this latest cyberespionage campaign highlights the relentless evolution of threat actors like Storm-0558, signaling an urgent need for organizations to bolster their cyber defense systems. The continual refinement of these threat actors' tradecraft serves as a stark reminder that cybersecurity remains a moving target, requiring constant vigilance and adaptation.