Chinese hackers targeted U.S. government emails through Microsoft breach, White House says
Breach is the latest in a series of attacks hitting federal agencies and comes as tensions grow between the U.S. and China.
Chinese-based hackers gained access to the emails of at least one U.S. federal agency last month through a vulnerability in Microsoft email systems, the Biden administration confirmed Wednesday.
Zoom out: The hack comes weeks after a Russian-linked cybercriminal group also breached networks at U.S. agencies, and as tensions grow between the U.S. and China.
The Cybersecurity and Infrastructure Security Agency and the FBI put out a joint advisory Wednesday announcing that an unnamed federal agency first spotted the suspicious activity in mid-June after noticing Microsoft 365 audit logs were being accessed by licensed users in Exchange Online mailboxes through abnormal programs. The agency then reported the activity to Microsoft and CISA.
Details: The attackers pierced the agency's systems and those of around two dozen other organizations by using forged authentication tokens in a breach first made public by Microsoft on Tuesday night. The Microsoft investigators identified the infiltrators as Storm-0558, a group that primarily uses espionage, credential access and data theft to target government agencies in Western Europe.
“Last month, U.S. government safeguards identified an intrusion in Microsoft’s cloud security, which affected unclassified systems,” White House National Security Council spokesperson Adam Hodge said in a statement Wednesday. “Officials immediately contacted Microsoft to find the source and vulnerability in their cloud service. We continue to hold the procurement providers of the U.S. Government to a high security threshold.”
Targets: The government agencies impacted by the breach were not immediately clear. A spokesperson for the Department of Defense declined to comment on the breach. A spokesperson for CISA declined to elaborate on the advisory, and the FBI did not respond to a request for further comment.
Wang Wenbin, the spokesperson for China's Ministry of Foreign Affairs, did not deny the breach when asked about it during a press conference in Beijing on Wednesday, but accused the U.S. of being "the world's biggest hacking empire and global cyber thief."
"Since last year, cybersecurity institutions from China and elsewhere in the world have issued reports to reveal U.S. government’s cyberattacks against China over the years, but the U.S. has yet to make a response," Wang said. "It is high time that the U.S. explained its cyberattack activities and stopped spreading disinformation to deflect public attention."
The cyberattack came to light just ahead of Lt. Gen. Timothy Haugh’s long-awaited nomination hearing to lead the National Security Agency and U.S. Cyber Command in front of the Senate Intelligence Committee Wednesday afternoon.
Congressional reaction: Senate Intel Committee Chair Mark Warner (D-Va.) said in a statement Wednesday that his committee is “closely monitoring what appears to be a significant cybersecurity breach by Chinese intelligence.”
“It’s clear that the PRC is steadily improving its cyber collection capabilities directed against the U.S. and our allies,” Warner said. “Close coordination between the U.S. government and the private sector will be critical to countering this threat.”
Pattern of attacks: The breach is the latest to hit federal agencies in recent years. Most recently, Russian cybercriminals exploited the file transfer system MOVEit last month in an apparent attempt to steal data from U.S. government agencies and dozens of other groups around the world. The Department of Energy was one of the agencies reportedly impacted by this breach. A spokesperson for DOE did not respond to a request for comment on whether the agency was impacted by the new attack on Microsoft systems.