U.S State Department Emails Compromised in Cyber Attack
Midway through June 2023, an unnamed Federal Civilian Executive Branch (FCEB) organization in the U.S. saw unusual email activity, which led Microsoft to learn about a fresh espionage operation related to China that was targeting two dozen organizations.
The details come from a joint cybersecurity advisory released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) on July 12, 2023. The authorities released a statement regarding this,
In June 2023, a Federal Civilian Executive Branch (FCEB) agency identified suspicious activity in their Microsoft 365 (M365) cloud environment. Microsoft determined that advanced persistent threat (APT) actors accessed and exfiltrated unclassified Exchange Online Outlook data.
The name of the government organization was not made public, but according to sources familiar with the situation, CNN and the Washington Post, it was the U.S. State Department. The Commerce Department, a legislative worker, a human rights advocate from the United States, and American think groups were also attacked. Estimates place the number of affected organizations in the United States in the low single digits.
The revelation comes a day after the internet giant linked the effort to Storm-0558, a new “China-based threat actor” it follows that primarily targets Western European governments and specializes in data theft. According to the evidence so far, the malicious activity started a month before it was discovered.
Our Readers ALSO READCISA Warns of Actively Exploited Vulnerabilities in Samsung and D-Link Devices
However, China has denied claims that it was involved in the hacking incident., calling the U.S. “the world’s biggest hacking empire and a global cyber thief” and that it’s “high time that the U.S. explained its cyber attack activities and stopped spreading disinformation to deflect public attention.”
Through Outlook Web Access in Exchange Online (OWA) and Outlook.com, the cyberspies were able to access consumer email accounts by utilizing counterfeit authentication tokens. An acquired Microsoft account (MSA) consumer signing key was used to fabricate the tokens. It is still unknown how the key was secured exactly.
Two proprietary malware tools called Bling and Cigril, the latter of which has been described as a trojan that decrypts encrypted files and runs them directly from system memory in order to escape detection, are also utilized by Storm-0558 to assist credential access.
According to CISA, the FCEB agency used Microsoft Purview Audit’s increased logging capabilities, notably the MailItemsAccessed mailbox-auditing operation, to discover the breach.
Additionally, the agency advises organizations to enable Purview Audit (Premium) logging, activate Microsoft 365 Unified Audit Logging (UAL), and make sure that operators can search logs in order to look for this kind of activity and distinguish it from normal behavior in the environment.
“Organisations are encouraged to look for outliers and become familiar with baseline patterns to better understand abnormal versus normal traffic,” the CISA and FBI concluded.