FRANK BAJAK and MATTHEW LEE (Associated Press)
WASHINGTON (TodayNews) — State-backed Chinese hackers thwarted Microsoft’s cloud security by hacking the email accounts of officials at several U.S. agencies that deal with China ahead of Secretary of State Anthony Blinken’s trip to Beijing last month, officials said Wednesday.
Surgical targeted espionage accessed the emails of a small number of individuals at an unspecified number of US agencies and was discovered in mid-June by the State Department, US officials said. They said that none of the hacked systems were classified, nor was the stolen data.
Among the hacked officials was Secretary of Commerce Gina Raimondo, The Washington Post reports, citing anonymous US officials. Export controls imposed by her agency hit several Chinese companies.
One person familiar with the investigation said the US military and intelligence agencies were not among the agencies affected by the month-long spy campaign, which also affected unnamed foreign governments.
The officials spoke on the condition that their identity would not be revealed.
In a technical consultation on Wednesday and in a phone call with reporters, the US Cybersecurity and Infrastructure Security Agency and the FBI said Microsoft determined that hackers gained access by impersonating authorized users.
Officials did not specify the nature of the stolen data. But one US official said the incursion was “directly targeted” at diplomats and others who deal with China at the State Department and other agencies. The official added that it is not yet clear if there has been any material disclosure.
Blinken’s trip went ahead as planned, albeit with normal information security procedures that required his delegation to use “backup” phones and computers in China.
The hack was revealed late Tuesday by Microsoft in a blog post. The company said it was alerted to a hack that it blames on a state-backed Chinese espionage group “known to target government agencies in Western Europe” on June 16. , since mid-May has gained access to email accounts affecting about 25 organizations, including government agencies, as well as consumer accounts of individuals who are likely to be associated with these institutions.
Neither Microsoft nor US officials have named the agencies or governments affected. A senior CISA official told reporters during a press conference that the number of affected organizations in the United States is in the single digits.
While the official declined to say whether U.S. officials were unhappy with Microsoft over the breach, U.S. National Security Council spokesman Adam Hodge noted that it was “state security measures” that detected the intrusion and added: “We continue to detain suppliers purchases in the USA. Government to a high security threshold.”
These security measures actually consist of a data logging feature that Microsoft charges extra for. The CISA official noted that some of the victims did not have data logging functionality and, failing to detect the breach, learned about it from Microsoft.
But what concerns cybersecurity experts the most is that Storm-0558 hackers compromised the system using fake authentication tokens that are used to verify the user’s identity. Microsoft’s executive vice president of security, Charlie Bell, said on the company’s website that the hackers did this by obtaining a “consumer signing key.”
Cybersecurity researcher Jake Williams, a former National Security Agency attack hacker, said it remains unclear how the hackers managed this. Microsoft did not immediately respond to questions sent in an email, including whether it was hacked by hackers to obtain a signing key.
Williams was concerned that hackers could forge the tokens for widespread use to hack into any number of non-corporate Microsoft users. “I can’t imagine China not also using this access to attack dissidents by personal subscription.”
Adam Meyers, head of intelligence at cybersecurity firm Crowdstrike, said in a statement that the incident highlights the systemic risk associated with reliance on a single technology provider at Microsoft. He said that “having one monolithic vendor responsible for all your technology, products, services and security can be a disaster.”
Chinese Foreign Ministry spokesman Wang Wenbin called the US allegations of the hack “disinformation” aimed at diverting attention from US cyber espionage against China.
“No matter which agency released this information, it will never change the fact that the United States is the world’s largest hacker empire with the highest number of cyber thefts,” Wang said at a routine briefing.
US intelligence agencies also use hacker attacks as an important espionage tool, and this is not a violation of international law.
Google-owned cybersecurity company Mandiant said last month that suspected state-backed Chinese hackers had breached the networks of hundreds of public and private sector organizations around the world using a vulnerability in a popular email security tool.
Microsoft said earlier this year that state-backed Chinese hackers are targeting critical U.S. infrastructure and could lay the technical foundation to disrupt critical communications between the U.S. and Asia during future crises.
Associated Press contributors Aamer Madhani in Washington and Zen Soo in Hong Kong contributed to this report. Bayak reported from Boston.