A hacking campaign, which began in mid-May, saw Chinese hackers infiltrating US government email accounts, including those of federal agencies such as the State Department and the Department of Commerce. While the breach campaign impacted unclassified systems and was reportedly small in scale, the targeted attacks on specific high-level individuals for espionage purposes raised some red flags.
The breach campaign remained undetected for about a month.
Microsoft’s threat research team played a crucial role in identifying the Chinese hackers behind the breach. They determined the attack’s origin and the specific information that the hackers were seeking. Interestingly, the attackers used forged authentication tokens strategically to target high-level government email accounts at various agencies.
China, as to be expected, vehemently denied the accusations and instead accused the US government of aggressive hacking campaigns. This tit-for-tat stance is not uncommon in the realm of cyber warfare, where both nations try to gain an upper hand through their hacking capabilities.
Microsoft referred to the hackers’ modus operandi as “surgical,” indicating their method of targeting specific individuals for espionage purposes. The attackers used the stolen Microsoft account consumer signing key to forge authentication tokens for government email accounts of interest. This allowed them to access emails via Outlook’s web feature (OWA) and Outlook.com. However, Microsoft took swift action, blocking the forged tokens and replacing the MSA key to neutralize further attacker activity.
China is now considered the most technically advanced adversary by US officials.