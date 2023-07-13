Microsoft recently mitigated a cyberattack conducted by a China-based group, identified as Storm-0558. This group targeted customer emails, primarily focusing on Western European government agencies with the intent of espionage, data theft, and credential access. That’s what the company says in a blogpost where all the technical details were also published

Access to accounts of 25 organizations

The attack was reported by some customers on June 16, 2023, leading Microsoft to investigate anomalous email activity. Investigations revealed that as of May 15, 2023, Storm-0558 had gained access to the email accounts of approximately 25 organizations, including some government agencies, as well as consumer accounts linked to individuals possibly associated with these organizations.

Using fake tokens for authentication

The attack method consisted of using fake authentication tokens to access users’ emails, obtained through a consumer signing key acquired from a Microsoft account.

Microsoft reports that it has completed mitigating this attack for all customers by blocking Storm-0558’s access to customer emails using the forged authentication tokens. The company has ensured that no action is required from customers.

Objective: to compromise computer systems

“Motivated threat actors continue to focus on compromising computer systems. These well-resourced adversaries make no distinction between attempting to compromise corporate or personal accounts associated with targeted organizations, as it only takes a single successfully compromised account login to gain persistent access, exfiltrate information, and achieve espionage goals – comments Charlie Bell, executive vice president of security at Microsoft in another blogpost. The threat actor that Microsoft links to this incident is a China-based adversary that Microsoft calls Storm-0558. We believe this adversary is focused on espionage, such as accessing e-mail systems for intelligence gathering. This type of espionage-motivated adversary seeks to abuse credentials and gain access to data residing in sensitive systems.”

The manager adds that collaboration has been established with the relevant government agencies, such as DHS CISA.

