We finally know a little more about the very disturbing espionage operation attributed by Microsoft to a group of Chinese hackers, called Storm-0558. The American publisher had denounced at the beginning of July a sophisticated malicious campaign, which had lasted about a month, from May 15 to June 16.
The hackers had been able to access the email accounts of 25 organizations using authentication tokens, without needing to steal the email passwords. Among the targets, according to the American press, the Secretary of Commerce of the United States, Gina Raimondo, or the ambassador of this same country in China, Nicholas Burns.
Expected explanations
This high-flying hack, targeting sensitive personalities, had raised questions about the security of the company’s messaging service. The hackers had indeed managed to get their hands on a Microsoft general public signature (MSA) key, the first key which had opened other doors for them. The highly anticipated explanations from the Redmond firm were finally revealed on September 6.
According to Microsoft experts, the spy campaign is the culmination of several separate events. In the absence of specific evidence, the company believes that this is the most likely sequence. It all started in April 2021, with the crash of a signature system that was far too talkative. The “crash dump”, this post-incident memory dump, indeed contains, when it should not, the signature key subsequently stolen, a problem since resolved, reports Microsoft.
Hacking of an engineer’s account
At the same time, the Storm-0558 hackers succeed – the precise details are unknown – in compromising the account of a Microsoft engineer. However, the latter has access to the debugging environment and to the crash dump report that incorrectly recorded the signing key.
This signing key then allows attackers – it is unclear if they had spotted the problem or if they came across it while exploring the engineer’s account – to fraudulently obtain authentication tokens to access accounts. Outlook email and Azure cloud services. Microsoft now claims to have fixed the flaws exploited by hackers.