Chinese state-sponsored hackers successfully exploited a digital consumer key belonging to software giant Microsoft. This hack gave them free access to essential US government email accounts, making it one of the most major cyber heists in both the company and government sectors.
Revealing the intricacies of this high-profile breach, Microsoft disclosed that the China-based threat actor, known as Storm-0558, utilized a Microsoft account (MSA) consumer key they had acquired to create counterfeit tokens. These tokens enabled them to gain unauthorized access to the Outlook Web App (OWA) and Outlook.com services.
The security lapse came to light during Microsoft’s internal investigation, which revealed a consumer signing system malfunction in April 2021. This malfunction resulted in a snapshot of the crashed process, commonly referred to as a crash dump. Normally, such dumps are designed to exclude sensitive information, including the signing key. However, due to a race condition, this particular incident allowed the key’s presence within the crash dump. Microsoft has since addressed this issue.
Additionally, Microsoft’s systems failed to initially detect the key material within the crash dump. However, this oversight has also been remedied by the tech giant.
Armed with this “digital skeleton key,” the hackers successfully breached both personal and enterprise-level email accounts belonging to US government officials, all of which were hosted on Microsoft’s platforms. Microsoft explained that the crash dump, initially believed to be devoid of key material, had inadvertently been moved from the isolated production network to their debugging environment, which is connected to the internet.
Following the leak of the key within the crash dump into the corporate environment, the Storm-0558 actor managed to compromise the corporate account of a Microsoft engineer. This account held access to the debugging environment housing the crash dump containing the key.
Due to the limitations of log retention policies, Microsoft was unable to provide specific evidence of this key’s exfiltration by the actor. Nevertheless, it was deemed the most likely method through which the key was acquired. Microsoft has taken steps to bolster its security measures in response to this incident.