On July 11, Microsoft revealed that a Chinese hacking group it calls Storm-0558 was able to access the email systems of US government agencies, potentially compromising hundreds of thousands of emails. Since then, details of the incident have started to emerge—including reports claiming that the email account of the US ambassador to China and other senior officials were breached. The attackers were able to access the email accounts, according to Microsoft and the US State Department, using a private signing key they had acquired and were using to generate access tokens for the accounts.
A new investigation by the cloud security firm Wiz, though, claims that the compromised key could have also been used to create access tokens for other Microsoft services including SharePoint, Teams, OneDrive, and third-party apps created by customers.
“All of Microsoft, all of Microsoft Office 365, all of Azure relies on authentication tokens. This is the fabric of the cloud,” says Wiz chief technology officer Ami Luttwak.
A Microsoft spokesperson told WIRED in a statement that “many of the claims made in this blog are speculative and not evidence-based,” but did not specify which claims.
“The methodology employed by Wiz to identify the broader scope of where the compromised key would be accepted looks very technically solid,” says Jake Williams, a former NSA hacker who now teaches at the Institute for Applied Network Security in Boston. “The research highlights that the scope of the compromised key is far broader than originally reported.”
Microsoft wrote last week that its “investigations have not detected any other use of this pattern by other actors and Microsoft has taken steps to block related abuse.” But if the stolen signing key could have been used to breach other services, even if it wasn’t used this way in the recent incident, the finding has significant implications for the security of Microsoft’s cloud services and other platforms.
The attack “seems to have a broader scope than originally assumed,” the Wiz researchers wrote. They added , “This isn’t a Microsoft-specific issue—if a signing key for Google, Facebook, Okta, or any other major identity provider leaks, the implications are hard to comprehend.”
Microsoft’s products are ubiquitous worldwide, though, and Wiz’s Luttwak emphasizes that the incident should serve as an important warning.
“There are still questions that only Microsoft can answer. For example, when was the key compromised? And how?” he says. “Once we know that, the next question is, do we know it’s the only key that they had compromised?
After Chinese attack, Microsoft expands free cloud logging capabilities for all users
In response to China’s attack on US government cloud email accounts from Microsoft—a campaign that US officials have described publicly as espionage—Microsoft announced this past week that it will make more of its cloud logging services free to all customers. Previously, customers had to pay for a license to Microsoft’s Purview Audit (Premium) offering to log the data.
The US Cybersecurity and Infrastructure Security Agency’s executive assistant director for cybersecurity, Eric Goldstein, wrote in a blog post also published this past week that “asking organizations to pay more for necessary logging is a recipe for inadequate visibility into investigating cybersecurity incidents and may allow adversaries to have dangerous levels of success in targeting American organizations.”