Microsoft has now completed an analysis of the incident in which Chinese attackers gained access to the email accounts of various US government agencies. A series of errors and sloppiness ultimately led to the problem.
According to Microsoft, a group known as Storm-0558 was behind the attack, which users became aware of due to strange occurrences in their mailboxes. Their victims included Commerce Secretary Gina Raimondo and U.S. Ambassador to China R. Nicholas Burns. Accordingly, Microsoft was forced to find out and provide details in an investigation into the case by the US Congress.
Series of errors
Redmond now complied and it became apparent that the attackers had actually managed to obtain a Microsoft Account (MSA) key. This can be used to create access tokens that would allow access to Outlook accounts on Microsoft’s cloud infrastructure in the event of a hack. So the big question was how Storm-0558 was able to get this key.
Actually, this key should be on a particularly isolated system in a department to which only employees who have passed security clearance have access. Dedicated accounts, workstations with secure access and multi-factor authentication with hardware token devices are intended to prevent data leaks to the outside world.
However, one of the computers used in the department crashed in April 2021 and created a memory dump. This shouldn’t actually contain any sensitive information – internal mechanisms in Windows ensure that potentially problematic areas are blacked out. However, that was not the case here, so the dump with the MSA key was ultimately transferred to another area of the Microsoft network for further analysis.
Corrections already done
Sometime after this point, the Storm-0558 attacker was able to successfully compromise a Microsoft engineer’s corporate account. This account in turn had access to the debugging environment containing the crash dump, which incorrectly contained the key and was still kept there for unknown reasons.
Even with the key stolen in this way, no access should actually have been possible – because the MSA key was actually intended for the creation of tokens for private user accounts. However, an error in the integration and checking of libraries in the mail system ensured that another security barrier only appeared to exist.
Microsoft has made its findings about the incident public and also stated that they had already drawn conclusions. The errors in the software – from the liberal design of the crash dump to the key responsibility – have now been fixed. They said they were also working on the internal processes.