A China-based cybercriminal known as Storm-0558 gained access to unclassified U.S. government email accounts using forged authentication tokens according to a report released by Microsoft.
This story was updated July 12, 2023 with new information.
The State Department acknowledged today that it was hit with a cyber intrusion targeting email accounts last month. A report released Tuesday night by Microsoft attributed the breach to a threat group in China.
Agency spokesperson Matthew Miller declined to specify the exact date of the breach and also declined to confirm any connection to China or any links between the breach and the recent China trip by Secretary of State Antony Blinken.
"I can say that last month the State Department detected anomalous activity. We did two things immediately: one we took immediate steps to secure our systems and two, took immediate steps to notify Microsoft of the event." Miller told reporters. "As a matter of cybersecurity policy. We do not discuss the details of our response. The incident remains under investigation," he said.
A senior Cybersecurity and Infrastructure Security Agency official described the cyberattack as a "surgical campaign" that targeted a "small number of mailboxes" during a phone call with reporters on Wednesday. That official declined to confirm what agencies and organizations were impacted in the breach,
A senior FBI official also said on the call that the Bureau was "working closely" with Microsoft and impacted federal agencies to investigate the attack.
"This intrusion should not be compared to Solar Winds," the FBI official said. "The impact of a months-long, targeted campaign like this one is much narrower than the 18,000 victims through a single technical update."
Microsoft concluded that a China-based actor known as Storm-0558 gained access to email accounts belonging to approximately 25 separate organizations, including government entities, beginning on May 15. The company began investigating the anomalous mail activity nearly a month later and determined that Storm-0558 used forged authentication tokens to gain access to the accounts.
The hackers used Microsoft's Outlook Web Access in Exchange Online and Outlook.com to access the unclassified email accounts, according to the announcement, as part of an apparent effort to collect intelligence and "achieve espionage objectives."
"This type of espionage-motivated adversary seeks to abuse credentials and gain access to data residing in sensitive systems," the announcement said.
Microsoft alerted impacted customers prior to releasing a public statement this week and completed mitigation procedures for the nearly 25 victim organizations, including adding "substantial automated detections for known indicators of compromise" linked to the recent attack. The company also said it found no evidence of further access to additional email accounts.
The news comes amid an increase in cyberattacks impacting government agencies and networks. Last month, it was revealed that cybercriminals leveraged a vulnerability found in the popular MOVEit file transfer service to steal data from underlying MOVEit databases in a hack that impacted several federal civilian agencies, though CISA director Jen Easterly confirmed that it did not present a systemic risk to national security.
Lawmakers and industry stakeholders have increasingly urged the White House to nominate a director to lead the Office of the National Cyber Director following Chris Inglis’ retirement earlier this year.
A group of cybersecurity organizations sent a letter to the White House Wednesday demanding the president nominate a replacement by the end of the month, warning that the federal cyber leadership vacuum could hinder the administration as it seeks to implement its national security strategy released earlier this year.
Microsoft said it is partnering with CISA and others while continuing to investigate the latest breach. The company also said that no further action was required from its customers.