State-sponsored hackers infiltrate Outlook accounts, prompting Microsoft to strengthen its key generation systems to enhance security measures.
In a recent development, a China-linked hacking group known as Storm-0558 has been implicated in a sophisticated cyber espionage campaign that targeted Microsoft and several other organizations. Security researchers and intelligence agencies have linked the Cigril malware to this group based on code analysis, infrastructure overlaps, and tactics, techniques, and procedures (TTPs) consistent with Storm-0558's known methods.
Storm-0558 utilized Cigril malware as part of their intrusion toolset during their extensive cyber espionage operations. The malware was deployed to establish persistence, conduct reconnaissance, and move laterally within compromised networks, including high-profile targets like Microsoft. The deployment of Cigril enabled the group to maintain long-term access and exfiltrate sensitive data stealthily, contributing to the success of the 2021 attacks that compromised Microsoft Exchange Server emails and affected multiple organizations worldwide.
On June 26, Microsoft took steps to help protect customers from future attacks. The company hardened key issuance systems and revoked all prior keys, following the discovery that a China-linked hacking group had acquired an inactive Microsoft account consumer signing key. The hacking group used this key to access data from about two dozen other organizations. On June 27, Microsoft blocked the use of tokens signed with the acquired MSA key in Outlook Web Access (OWA), preventing additional enterprise mail activity by malicious actors. On June 29, Microsoft completed the replacement of the key to stop the hackers from using it to forge tokens.
The attacks by Storm-0558 have been diverse, involving credential harvesting, phishing, and OAuth token attacks. Past campaigns have led to web shells, including China Chopper, being placed on compromised servers. The hacking group forged tokens to steal emails from the U.S. State Department, reflecting their targeting of identity systems to gain credentialed access.
In response, the FBI and Cybersecurity and Infrastructure Security Agency released updated guidance on the threat activity on Friday. Peter Firstbrook, VP analyst at Gartner, stated that these attacks serve as an example of how attackers are targeting the identity system to gain credentialed access.
Organizations are urged to enable audit logging and harden their cloud environments to protect against such attacks. Microsoft has also released additional analysis on the attack, emphasizing the need for vigilance and continuous improvement in cybersecurity measures.
- The cybersecurity community has identified a diverse array of tactics used by Storm-0558, such as phishing, malware deployment, and OAuth token manipulation.
- The Cigril malware, used by Storm-0558, is designed to establish persistence, conduct reconnaissance, and move laterally within compromised networks, including general-news stories about cybersecurity breaches.
- The use of technology in politics has been highlighted by the actions of Storm-0558, as they targeted Microsoft, malware developers, and even the U.S. State Department with cyber espionage campaigns.
