A recently disclosed Chinese hack of Commerce and State Department officials’ emails was found to be linked to a Microsoft engineer’s compromised corporate account, the tech giant announced in a blog post this week.
According to the Sept. 6 post, the hackers leveraged a stolen Microsoft signing key used by the company to authenticate customers, allowing the hackers to masquerade as Federal users of Microsoft’s email services and access officials’ inboxes.
The penetrated account allowed the hacker group – dubbed Storm-0558 – to steal thousands of email exchanges, including those from Commerce Secretary Gina Raimondo and other top U.S. Federal officials.
The Cybersecurity and Infrastructure Security Agency said at the time of the attack that it appeared to have been narrowly scoped, quickly rooted out, and that classified information was not exposed.
That stolen key was leaked in an April 2021 “crash dump,” Microsoft explained, that records some information when processes on a computer crash. The tech giant noted that the crash dump should not have contained the key.
“Our investigation found that a consumer signing system crash in April of 2021 resulted in a snapshot of the crashed process (“crash dump”),” the blog post reads. “The crash dumps, which redact sensitive information, should not include the signing key. In this case, a race condition allowed the key to be present in the crash dump (this issue has been corrected). The key material’s presence in the crash dump was not detected by our systems (this issue has been corrected).”
The particular contents of that crash dump were moved to a company-owned, internet-connected debugging environment, allowing the hacking group to pilfer the key and access the engineer’s account, Microsoft said in the blog.
“After April 2021, when the key was leaked to the corporate environment in the crash dump, the Storm-0558 actor was able to successfully compromise a Microsoft engineer’s corporate account,” the company wrote. “This account had access to the debugging environment containing the crash dump which incorrectly contained the key.”
“Due to log retention policies, we don’t have logs with specific evidence of this exfiltration by this actor, but this was the most probable mechanism by which the actor acquired the key,” Microsoft concluded.
The July hack sparked bipartisan concern in Congress, including members of the House Oversight and Accountability Committee launching an investigation into the recent China-based cyber espionage campaign as well as 14 senators probing the State Department’s chief information officer for more information on the cyberattack.
Wednesday’s post from Microsoft is unlikely to be the final word on the breach. The U.S. Cyber Safety Review Board is currently investigating the breach as part of a broader examination of cloud security.
