Microsoft's Storm-0558 cloud hack: US senator among the victims

[German]It's been a few days since it became known that members of the suspected Chinese cyber group Storm-0558 managed to break into the Exchange Online and private outlook.com accounts of 25 organizations. Now a US senator came forward with the information that he had just been informed by the FBI that his personal email account was affected by this hack. And while we're on the subject, I'll put a second piece of information in this post. Administrators who are responsible for looking after the Microsoft Cloud in companies need to check whether tenants were affected by this hack. If necessary, a data protection incident report must then be submitted to the relevant authorities.

The Storm-0558 attack

A suspected China-based hacking group, referred to by Microsoft as Storm-0558, had succeeded in June 2023 in gaining access to email accounts of about 25 organizations stored in the Microsoft cloud. These include government agencies (U.S. Department of State), as well as corresponding private accounts of individuals likely to be associated with these organizations.

The background was that the attackers came into possession of a private (MSA) customer key for Microsoft accounts. This MSA key could be used to generate (forge) security tokens. But these security tokens could not only be used for private Microsoft accounts (e.g. Outlook.com). Due to bugs in the Azure services code, the security tokens were not verified correctly and allowed access to Azure AD accounts (now called IntraID accounts).

I had reported about this attack in various blog posts like China hacker (Storm-0558) accessed Outlook accounts in Microsoft's cloud. However, according to a report by security researchers at Wiz, the security incident went much further – attackers were able to use an AAD key to forge AAD tokens as well. This means that Azure customer applications could also be affected (see Stolen AAD key allowed (Storm-0558) wide-ranging access to Microsoft cloud services). Meanwhile, U.S. politicians are calling for consequences (see Microsoft as a Security Risk? U.S. senator calls for Microsoft to be held accountable over Azure cloud hack- Part 1) and there is a review by the US Cyber Safety Review Board.

New victims of the Storm-0558 attack

Now new victims of the above-mentioned hack became known. U.S. House of Representatives member Don Bacon (from Nebraska) shared in a tweet that the FBI informed him on Monday (August 14, 2023) that the Chinese government "penetrated his personal and campaign emails from May 15 to June 16 of this year."

New Storm-0558 victim

In his tweet, Bacon refers to the above-mentioned security vulnerability in the Microsoft cloud, which became known back in July 2023. Since the hack happened two months ago, it seems that the FBI is only now getting clarity about who else was affected – Microsoft only gave thin PR that the evil hackers only attacked 25 organizations and penetrated their mailboxes. The fact that the attackers were able to walk around in the email accounts for a month was largely lost in Microsoft's reporting.

Bacon suggests that there were other victims of this cyber operation. Techcrunch writes here that the hackers also accessed the inboxes of U.S. Commerce Secretary Gina Raimondo and U.S. Ambassador to China Nicholas Burns. And there are indications that an unnamed congressional staffer was also targeted in the attack. The question remains, what else will become public? After all, I had pointed out the partly hair-raising details of this "hack" in the blog post Microsoft as a Security Risk? U.S. senator calls for Microsoft to be held accountable over Azure cloud hack- Part 1.

European Tenant administrators have a duty to check

I'm inserting another note on this topic here, since it has remained all too quiet after the above hack. Basically, the entire Microsoft Cloud can be considered compromised. Microsoft has produced some texts and recently also published a guide for checking the cloud for stolen security tokens (see my blog post Microsoft has published the TokenTheft playbook).

GIt was precisely this TokenTheft playbook that triggered the German blog post Erfolgreicher Hackerangriff auf Microsoft Cloud – Microsoft reagiert (endlich) from Philip Kroll, Senior Consultant Data Protection North). The relevant part of the post that I am concerned with relates to the data protection aspect. Philip Kroll writes that the person responsible for the Tenant deployment is also compelled by european data protection law  (GDPR) to follow up on relevant security alerts and to check whether he or she is affected, due to his or her comprehensive duties.

Tenant administrators in Europe should, according to the data protection consultant's advice, take action and check with the help of the playbook to rule out an attack on their tenant in the period from mid-May to mid-June. Microsoft and its information policy should not be trusted, he said. If a compromise of the tenant(s) is detected, data protection officers are almost certainly obligated to report it to the supervisory authority as a data breach from that point on, Kroll says. Meanwhile, Microsoft is also providing its customers with enhanced cloud logging (see After CISA report on Storm-0558 hack, Microsoft provides customers with enhanced cloud logging).

This entry was posted in Cloud, Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *