The breaches have been mitigated, officials said, but an FBI investigation continues.
The Microsoft vulnerability was discovered last month by the State Department. Also targeted were the email accounts of a congressional staffer, a U.S. human rights advocate and U.S. think tanks, officials and security professionals said.
The hackers, looking for information useful to the Chinese government, had access to the email accounts for about a month before the issue was discovered and access cut off, said officials, speaking on the condition of anonymity due to the matter’s sensitivity. The intrusion was discovered around the time of Secretary of State Antony Blinken’s trip to Beijing.
“U.S. government safeguards identified an intrusion in Microsoft’s cloud security, which affected unclassified systems,” National Security Council spokesman Adam Hodges said in a statement to The Washington Post. “Officials immediately contacted Microsoft to find the source and vulnerability in their cloud service. We continue to hold the procurement providers of the U.S. government to a high security threshold.”
Pentagon, intelligence community and military email accounts did not appear to be affected, according to a person familiar with the matter.
A senior FBI official said that no classified information was taken and that there was no evidence that the hackers got anywhere except the inboxes. He said the government was not yet attributing the attack to any country or group but would seek to “impose costs” on the adversary.
A senior Department of Homeland Security official said that nine organizations were victimized in the United States, with a small number of email accounts compromised at each. Microsoft said a total of about 25 organizations worldwide were hacked.
Microsoft disclosed late Tuesday that it had mitigated an attack by “a China-based threat actor” that primarily targets government agencies in Western Europe and focuses on espionage and data theft.
The Redmond, Wash.-based tech giant said the hackers, whom the firm calls Storm-0558, gained access on May 15. They did this by using forged authentication tokens to access user email using “an acquired Microsoft account consumer signing key,” according to a blog written by Charlie Bell, Microsoft’s executive vice president of security.
The hackers could create that key only with a more powerful internal key controlled by Microsoft, said Adam Meyers, senior vice president of CrowdStrike, suggesting that Microsoft itself had been hacked or compromised by an insider.
U.S. officials said they were investigating how the signing keys were obtained from Microsoft, which did not respond to written questions from The Post. “That is an area of urgent focus,” said the DHS official.
“This attack used a stolen key that Microsoft’s design failed to properly validate,” said Jason Kikta, chief information security officer at Automox and former head of private sector partnerships at U.S. Cyber Command. “The inability to do proper validation for authentication is a habit, not an anomaly.”
Microsoft has completed its mitigation of the attack for all customers, Bell wrote in the blog.
“There are some hard questions they have to answer,” though, said the person familiar with the matter.
The State Department discovered the intrusion on June 16 and notified the company the same day, officials said. The diplomatic agency is a favorite target for foreign spy services. Russian government hackers have breached its networks at least twice, in 2014 and during the 2020 Solar Winds campaign.
In the latter incident, Russian hackers accessed U.S. government email accounts after exploiting software made by a Texas company called SolarWinds. Once inside a target network, the hackers exploited weaknesses in Microsoft’s system for authenticating users, using tokens that would improperly give them the same access as an administrator.
Officials stressed the latest breach was much narrower than the SolarWinds breach, which officials say affected nearly a dozen U.S. agencies.
In early 2021, Microsoft found that its Exchange email servers were also subject to widespread exploitation, this time by Chinese hackers using a separate flaw.
Further underscoring Microsoft’s continuing security woes, the company confirmed Tuesday that its validation procedure had been manipulated to digitally sign dozens of pieces of software. And in yet a third incident, it warned that Russian actors it blames for espionage and financial crimes were exploiting a previously unknown vulnerability in its Office program.
After the SolarWinds hack, Microsoft President Brad Smith testified to the Senate that its code had not been vulnerable, instead blaming customers for common configuration mistakes and poor controls, including cases “where the keys to the safe and the car were left out in the open.”
Homeland Security officials complained that basic security tools, such as the ability to review logs, were available only at more expensive tiers of service.
Following the SolarWinds fiasco, Microsoft agreed to provide more log access free to government customers. It was that capability that allowed the government to identify the latest intrusion, the DHS official said.
Not everyone had that visibility, however.
“It is our perspective that every organization using a technology service like Microsoft 365 should have access to logging and other security data out of the box,” said the DHS official.
The latest incident strengthens the administration’s hand as it pushes for cloud and software providers to be held more accountable for security failings, a key part of its National Cybersecurity Strategy.
The U.S. government has already tightened cybersecurity rules for vendors whose software and hardware it uses.
Caroline O’Donovan contributed to this report.