State-backed Chinese hackers foiled Microsoft’s cloud-based security in hacking the email accounts of officials at multiple U.S. agencies that deal with China ahead of Secretary of State Antony Blinken’s trip to Beijing last month, officials said Wednesday.
The surgical, targeted espionage accessed the email of a small number of individuals at an unspecified number of U.S. agencies and was discovered in mid-June by the State Department, U.S. officials said. They said none of the breached systems were classified, nor was any of the stolen data.
One person familiar with the investigation said U.S. military and intelligence agencies were not among the agencies impacted in the monthlong spying campaign, which also affected unnamed foreign governments.
The officials spoke on condition they not be further identified.
In a technical advisory Wednesday and a call with reporters, the U.S. Cybersecurity and Infrastructure Security Agency and the FBI said Microsoft determined the hackers gained access by impersonating authorized users.
Officials did not specify the nature of the stolen data. But one U.S. official said the intrusion was “directly targeted” at diplomats and others who deal with the China portfolio at the State Department and other agencies. The official added that it was not yet clear if there had been any significant compromise of information.
The Blinken trip went ahead as planned, although with customary information security procedures in place, which required his delegation to use “burner” phones and computers in China.
The hack was disclosed late Tuesday by Microsoft in a blog post. It said it was alerted to the breach, which it blamed on a state-backed, espionage-focused Chinese hacking group “known to target government agencies in Western Europe,” on June 16. Microsoft said the group, which it calls Storm-0558, had gained access to email accounts affecting about 25 organizations, including government agencies, since mid-May as well as to consumer accounts of individuals likely associated with those agencies.
Neither Microsoft nor U.S. officials would identify the agencies or governments impacted. But a senior CISA official told reporters in a press call that just a handful of those organizations are in the United States.
While the official declined to say whether U.S. officials are displeased with Microsoft over the breach, U.S. National Security Council spokesman Adam Hodge noted that it was “government safeguards” that detected the intrusion and added, “We continue to hold the procurement providers of the U.S. Government to a high security threshold.”
In fact, those safeguards consist of a data-logging feature for which Microsoft charges a premium. The CISA official noted that some of the victims lacked the data-logging feature and, unable to detect the breach, learned of it from Microsoft.
The Storm-0558 hackers broke in using forged authentication tokens — data used to verify the identity of a user — to access the email accounts, Microsoft said.
Cybersecurity researcher Jake Williams, a former National Security Agency offensive hacker, said it remains unclear how the hackers accomplished that. But he was concerned that forged tokens could have been widely used against any number of different Microsoft users.
“I can’t imagine China didn’t also use this access to target dissidents on personal subscriptions, too,” he said.
A Chinese foreign ministry spokesman, Wang Wenbin, called the U.S. accusation of hacking “disinformation” aimed at diverting attention from U.S. cyberespionage against China.
“No matter which agency issued this information, it will never change the fact that the United States is the world’s largest hacker empire conducting the most cyber theft,” Wang said in a routine briefing.
U.S. intelligence agencies also use hacking as a critical espionage tool and it is not a violation of international law.
Some U.S. officials accuse Beijing of going too far with its state-sponsored hacking. China’s long-standing campaign of hacking for geopolitical advantage had included the massive theft of U.S., and allied intellectual property and U.S. government personnel records.
On Wednesday, Senate intelligence committee chair Mark Warner issued a statement saying the latest Chinese breach shows Beijing is “steadily improving its cyber collection capabilities directed against the U.S. and our allies.”
Last month, Google-owned cybersecurity firm Mandiant said suspected state-backed Chinese hackers broke into the networks of hundreds of public and private sector organizations globally exploiting a vulnerability in a popular email security tool.
Earlier this year, Microsoft said state-backed Chinese hackers were targeting U.S. critical infrastructure and could be laying the technical groundwork to disrupt critical communications between the U.S. and Asia during future crises.
____
Associated Press writers Aamer Madhani in Washington and Zen Soo in Hong Kong contributed to this report. Bajak reported from Boston.
