A Microsoft Key That Opened US Fed’s Data

Close to a week after China-backed hackers exploited a flaw in Microsoft’s cloud email service to gain access to email accounts of US government employees, the tech giant is still probing how the cybercriminals managed to get their hands on the signing key that opened up the vault of the federal data. 

In a blog post released last Friday, Microsoft sought to provide deeper analysis of “the observed actor techniques for obtaining unauthorized access to email data, tools, and unique infrastructure characteristics.” It said the investigation was ongoing to ascertain how the hackers got their hands on a Microsoft signing key that helped them forge authentication tokens. 

The mystery of the lost key lingers on

According to early reports, these tokens allowed the hackers to access inboxes in a way that the rightful owners would and among those affected include US Commerce Secretary Gina Raimondo, State Department officials and a few other organizations that were not publicly revealed. Initial reports said as many as 25 email accounts were compromised. 

A week ago, Microsoft had disclosed the activity to a new espionage group that calls itself Storm-0558. Later, the US cybersecurity agency CISA revealed that the hacks began in mid-May and included government accounts from which the cybercriminals removed unclassified email data. Of course, Chinese officials have denied allegations of being a part. 

Was Microsoft a tad complacent?

In the blog, Microsoft said hackers had gotten their hands on its consumer signing keys (MSA key) that is used to secure email accounts such as Outlook.com. The company said they initially felt that the hackers were forging authentication tokens with an enterprise signing key that are used to secure enterprise-level email accounts. 

However, it was found much later that hackers had used the consumer MSA key to forge the tokens that allowed them access to enterprise inboxes and blamed the fiasco on a validation error in the Microsoft code. In the past, China had used vulnerabilities to individually hack into Microsoft-powered email servers to steal corporate data. This is the first time where they’ve directly accessed the source key by targeting undisclosed vulnerabilities in Microsoft cloud. 

The worst is over, but Microsoft can’t gloat

The company confirmed that it had blocked all activity related to the incident, thus indicating that the matter is closed and the hackers have lost access now. However, there is no clarity on how they got access to the keys in the first place. Microsoft has since confirmed that the system of issuing keys has been made tougher to prevent similar instances. 

According to the blog post, the hackers made the mistake of using the same key to raid several emails and this allowed Microsoft cybersecurity teams to study access requests from the actor that followed a similar pattern across enterprise and consumer systems. This helped the tech giant let users know whether their emails were compromised.

What needs to be done now?

However, there’s a lot Microsoft needs to do now, though the immediate threat has passed. Without doubt, there will be scrutiny over how they handled the instance, considered by some as the biggest breach of unclassified government data since the 2020 Russian espionage attack on SolarWinds.  

Industry experts are concerned over how Microsoft handled the situation and thereafter went to great length to control the damage. Some have questioned why the company avoided use of zero-day principles which refers to the fact that there is no notice period to fix vulnerabilities that have already been exploited. 

Though one could describe this as hair-splitting by concerned individuals, Microsoft would have to come clean on the lack of transparency about the intrusions. It is currently taking some flak for reserving security logs for government accounts within their top-tier package – one that may have helped the other incident respondents to identify the malicious activity. 

The company had offered additional technical details late last week around the compromise that could help other incident responders to check if their networks were also targeted. However, there is scope for more transparency, given that cybercrime is a global phenomenon and its solutions too need to go beyond the corporate boundaries of individual companies.