Chinese hackers breached US government emails via Microsoft Cloud

In two blog posts published on Tuesday, Microsoft disclosed that a China-based hacking group — which the company refers to as “Storm-0558” — is intent on “gaining access to email systems for intelligence collection.” It said the espionage-focused group breached an unidentified number of email accounts linked to around 25 organizations, including some related individual consumer accounts and government agencies in Western Europe and the US. 

According to The Washington Post, it was the US government that notified Microsoft of the exploit. “Officials immediately contacted Microsoft to find the source and vulnerability in their cloud service,” National Security Council spokesperson Adam Hodges said to the publication. “We continue to hold the procurement providers of the US government to a high security threshold.”

The group used forged authentication tokens to access impacted email accounts via Outlook Web Access in Exchange Online (OWA) and Outlook.com from May 15th, remaining undetected for a month until Microsoft began its investigation on June 16th following “customer reported information.”

The hack affected unclassified systems and doesn’t appear to have compromised email accounts linked to the Pentagon, military, or intelligence community, according to The Washington Post’s sources.

Microsoft has contacted and implemented mitigations for all customers targeted during the security breach. The tech giant said it’s hardened its defenses by adding “substantial automated detections” to flag activity associated with the attack and is now working with the Department of Homeland Security’s cyber defense agency to protect affected users. The remaining organizations and government agencies compromised by the hackers have not been disclosed.

Hackers affiliated with the Chinese state were reportedly behind a cyberattack targeting US government security clearance records in 2015 that affected 21.5 million people. The Russia-linked SolarWinds hack that exposed government and enterprise networks via a compromised Microsoft worker’s computer in 2020 is also believed to have impacted up to 18,000 SolarWinds customers. The SolarWinds software was attacked again in 2021 by a Chinese hacker group with the presumed goal of accessing information connected to the US defense industry.