WASHINGTON (AP) — State-backed Chinese hackers foiled Microsoft’s cloud-based security in hacking the email accounts of officials at multiple U.S. agencies that deal with China ahead of Secretary of State Antony Blinken’s trip to Beijing last month, officials said Wednesday.
The surgical, targeted espionage accessed the email of a small number of individuals at an unspecified number of U.S. agencies and was discovered in mid-June by the State Department, U.S. officials said. They said none of the breached systems were classified, nor was any of the stolen data.
The hacked officials included Commerce Secretary Gina Raimondo, The Washington Post reported, citing anonymous U.S. officials. Export controls imposed by her agency have stung multiple Chinese companies.
One person familiar with the investigation said U.S. military and intelligence agencies were not among the agencies impacted in the monthlong spying campaign, which also affected unnamed foreign governments.
The officials spoke on condition they not be further identified.
In a technical advisory Wednesday and a call with reporters, the U.S. Cybersecurity and Infrastructure Security Agency and the FBI said Microsoft determined the hackers gained access by impersonating authorized users.
Officials did not specify the nature of the stolen data. But one U.S. official said the intrusion was “directly targeted” at diplomats and others who deal with the China portfolio at the State Department and other agencies. The official added that it was not yet clear if there had been any significant compromise of information.
The Blinken trip went ahead as planned, although with customary information security procedures in place, which required his delegation to use “burner” phones and computers in China.
The hack was disclosed late Tuesday by Microsoft in a blog post. It said it was alerted to the breach, which it blamed on a state-backed, espionage-focused Chinese hacking group “known to target government agencies in Western Europe,” on June 16. Microsoft said the group, which it calls Storm-0558, had gained access to email accounts affecting about 25 organizations, including government agencies, since mid-May as well as to consumer accounts of individuals likely associated with those agencies.
Neither Microsoft nor U.S. officials would identify the agencies or governments impacted. A senior CISA official told reporters in a press call that the number of affected organizations in the United States is in the single digits.
While the official declined to say whether U.S. officials are displeased with Microsoft over the breach, U.S. National Security Council spokesman Adam Hodge noted that it was “government safeguards” that detected the intrusion and added, “We continue to hold the procurement providers of the U.S. Government to a high security threshold.”
In fact, those safeguards consist of a data-logging feature for which Microsoft charges a premium. The CISA official noted that some of the victims lacked the data-logging feature and, unable to detect the breach, learned of it from Microsoft.
But of greater concern to cybersecurity experts is that The Storm-0558 hackers broke in using forged authentication tokens — which are used to verify the identity of a user. Microsoft’s executive vice president for security, Charlie Bell, said on the company’s website that the hackers had done that by acquiring a “consumer signing key.”
Cybersecurity researcher Jake Williams, a former National Security Agency offensive hacker, said it remains unclear how the hackers accomplished that. Microsoft did not immediately respond to emailed questions, including whether it was breached by the hackers to obtain the signing key.
Williams was concerned the hackers could have forged tokens for wide use to hack any number of non-enterprise Microsoft users. “I can’t imagine China didn’t also use this access to target dissidents on personal subscriptions, too.”
The head of intelligence for the cybersecurity firm Crowdstrike, Adam Meyers, said in a statement that the incident highlights the systemic risk of relying on a single technology provider in Microsoft. He said “having one monolithic vendor that is responsible for all of your technology, products, services and security – can end in disaster.”
A Chinese foreign ministry spokesman, Wang Wenbin, called the U.S. accusation of hacking “disinformation” aimed at diverting attention from U.S. cyberespionage against China.
“No matter which agency issued this information, it will never change the fact that the United States is the world’s largest hacker empire conducting the most cyber theft,” Wang said in a routine briefing.
U.S. intelligence agencies also use hacking as a critical espionage tool and it is not a violation of international law.
Last month, Google-owned cybersecurity firm Mandiant said suspected state-backed Chinese hackers broke into the networks of hundreds of public and private sector organizations globally exploiting a vulnerability in a popular email security tool.
Earlier this year, Microsoft said state-backed Chinese hackers were targeting U.S. critical infrastructure and could be laying the technical groundwork to disrupt critical communications between the U.S. and Asia during future crises.