Finally, we know a little more about the very disturbing espionage operation attributed by Microsoft to a group of Chinese hackers, called Storm-0558. The American publisher had denounced at the beginning of July a sophisticated malicious campaign, which lasted about a month, from May 15 to June 16.
The hackers had been able to access the email accounts of 25 organizations using authentication tokens, without the need to steal the passwords of the messengers. Among the targets, according to the American press, the Secretary of Commerce of the United States, Gina Raimondo, or the ambassador of the same country to China, Nicholas Burns.
This high-flying hack, aimed at sensitive personalities, had raised questions about the security of the company’s messaging service. The hackers had indeed managed to get their hands on a Microsoft consumer signature key (MSA), the first sesame that had opened other doors for them. The long-awaited explanations from the Redmond firm were finally unveiled on September 6th.
According to Microsoft experts, the espionage campaign is the culmination of several separate events. In the absence of precise evidence, the company believes that this is the most likely sequence. Everything would have started in April 2021, with the crash of a signature system that was too chatty. The “crash dump”, this memory dump after incident, indeed contains, while it should not, the signature key stolen afterwards, a problem since solved, Microsoft reports.
Hacking an engineer’s account
At the same time, the Storm-0558 hackers manage – we don’t know the precise details – to compromise the account of a Microsoft engineer. However, the latter has access to the debugging environment and to the memory dump report after an incident that incorrectly saved the signature key.
This signature key then allows the attackers – it is not known if they had spotted the problem or if they stumbled upon it while exploring the engineer’s account – to fraudulently obtain authentication tokens to access Outlook email accounts and Azure cloud services. Microsoft now claims to have fixed the flaws exploited by hackers.