Microsoft says that hackers used a flaw in its code to steal emails from government agencies and other clients.
Microsoft, in its post mortem report, said that Chinese hackers were able to take advantage of “a validation error in Microsoft code” to carry out their cyberespionage campaign. It provides a most fulsome explanation yet for a hack that rattled both the cybersecurity industry and China-US relations. Beijing has denied any involvement in the spying.
Microsoft and US officials said that Chinese state-linked hackers had been secretly since May accessing email accounts at around 25 organizations. US officials said those included at least two US government agencies.
Microsoft has not identified any of the hack’s targets, but several victims have acknowledged they were affected, including personnel at the State Department, the Commerce Department, and the US House of Representatives.
Microsoft’s own security practices have come under scrutiny, with officials and lawmakers calling on the Redmond, Washington-based company to make its top level of digital auditing, also called logging, available to all its customers free of charge.
What happened ?
A U.S. government agency reportedly detected initial signs of an intrusion by a Chinese hacking group using a premium feature not available to customers on lower-priced Microsoft 365 versions.
The high-profile incident is raising new questions not just about the security of Microsoft’s online platforms for business and government, but also about the ways the company generates revenue from security features.
An agency in the Federal Civilian Executive Branch discovered the hack after detecting unusual activity in a type of audit log available to business and government customers only in the most advanced Microsoft 365 tier.
An executive with Google, Microsoft’s arch-rival in cloud-based productivity software, called on the U.S. government to rethink its approach.
The hackers, whom Microsoft has dubbed “Storm-0558,” used an “acquired” Microsoft consumer account key to forge digital tokens that gave them access to the email accounts of “approximately 25 organizations including government agencies as well as related consumer accounts of individuals likely associated with these organizations,” Microsoft said in a post earlier this week.
Microsoft says the vulnerability that allowed the forged tokens to be used to access the email accounts has been fixed. The company has not yet explained how the consumer account key that was used to create the tokens was acquired by the hacking group.
Microsoft, in a statement, says the accountability starts right here at Microsoft,We remain steadfast in our commitment to keep our customers safe. We are continually self-evaluating, learning from incidents, and hardening our identity/access platforms to manage evolving risks around keys and tokens.