Chinese hackers targeted Raimondo, State emails through Microsoft breach

Chinese-based hackers gained access to the emails of the Commerce Secretary Gina Raimondo and U.S. State Department officials last month through a vulnerability in Microsoft email systems, according to a department spokesperson and a news report.

Raimondo's targeting was first reported by The Washington Post. The State Department confirmed Wednesday the attack on its officials' emails.

Zoom out: The hack comes weeks after a Russian-linked cybercriminal group also breached networks at U.S. agencies, and as tensions grow between the U.S. and China.

The Cybersecurity and Infrastructure Security Agency and the FBI put out a joint advisory Wednesday announcing the breach, but did not specify the target, saying a federal agency first spotted the suspicious activity in mid-June after noticing Microsoft 365 audit logs were being accessed by licensed users in Exchange Online mailboxes through abnormal programs. The agency reported the activity to Microsoft and CISA.

Raimondo has been one of the Biden administration's most outspoken voices against Beijing and has a heavy role in shaping China policy. She's helped steer the Chips Act through Congress and through her department is responsible for oversight over the so-called "Entity List," which categorizes foreign businesses prohibited from importing American technology without obtaining prior approval. Right now, the list comprises more than 600 Chinese entities.

A State Department spokesperson, who was not authorized to talk on the record on this issue, confirmed the department was hit.

Details: The spokesperson said the department "detected anomalous activity, took immediate steps to secure our systems, and will continue to closely monitor and quickly respond to any further activity." But they declined to give further details of the response, citing cybersecurity policy, and said the incident remains under investigation, adding: "We continuously monitor our networks and update our security procedures."

CISA and the FBI said the attackers pierced systems at State and about two dozen other global organizations by using forged authentication tokens in a breach first made public by Microsoft on Tuesday night. The Microsoft investigators identified the infiltrators as Storm-0558, a group that primarily uses espionage, credential access and data theft to target government agencies in Western Europe.

“Last month, U.S. government safeguards identified an intrusion in Microsoft’s cloud security, which affected unclassified systems,” White House National Security Council spokesperson Adam Hodge said in a statement Wednesday. “Officials immediately contacted Microsoft to find the source and vulnerability in their cloud service. We continue to hold the procurement providers of the U.S. Government to a high security threshold.”

There were no classified systems or data impacted by the campaign, senior officials at the FBI and CISA said in a briefing to reporters, adding that the number of U.S.-based organizations impacted was in the single digits. However, the officials made clear they were applying pressure on Microsoft to provide more log data at no cost — including the premium feature that was needed to detect the attack.

"It bears noting that a preponderance of organizations using Microsoft 365 or other widely used technology platforms are not paying for premium logging or other telemetry services," said one senior CISA official, who like the others spoke anonymously as a condition of the briefing to reporters. "And we believe that model is not yielding the sort of security outcomes that we have."

China responds: Wang Wenbin, the spokesperson for China's Ministry of Foreign Affairs, did not deny the breach when asked about it during a press conference in Beijing on Wednesday, but accused the U.S. of being "the world's biggest hacking empire and global cyber thief."

"Since last year, cybersecurity institutions from China and elsewhere in the world have issued reports to reveal U.S. government’s cyberattacks against China over the years, but the U.S. has yet to make a response," Wang said. "It is high time that the U.S. explained its cyberattack activities and stopped spreading disinformation to deflect public attention."

The cyberattack also came to light just ahead of Lt. Gen. Timothy Haugh’s long-awaited nomination hearing Wednesday to lead the National Security Agency and U.S. Cyber Command, though the incident was not a major topic of the session. Haugh did, however, commend government agencies, foreign partners and industry for producing "very clear, unclassified, releasable advisories" on how China targets U.S. infrastructure while speaking to the Senate Intelligence Committee.

Congressional reaction: Senate Intel Committee Chair Mark Warner (D-Va.) said in a statement Wednesday that his committee is “closely monitoring what appears to be a significant cybersecurity breach by Chinese intelligence.”

“It’s clear that the PRC is steadily improving its cyber collection capabilities directed against the U.S. and our allies,” Warner said. “Close coordination between the U.S. government and the private sector will be critical to countering this threat.”

House cyber subcommittee Chair Andrew Garbarino (R-N.Y) also said his panel "is in contact with CISA as we continue to uncover more details about China's latest attack on our federal government."

Pattern of attacks: The breach is the latest to hit federal agencies in recent years. Most recently, Russian cybercriminals exploited the file transfer system MOVEit last month in an apparent attempt to steal data from U.S. government agencies and dozens of other groups around the world. The Department of Energy was one of the agencies reportedly impacted by this breach. A spokesperson for DOE did not respond to a request for comment on whether the agency was impacted by the new attack on Microsoft systems.