China-linked cyberattackers stole email data in a hack hitting the U.S. government earlier this year, according to cybersecurity professionals.
The Cybersecurity and Infrastructure Security Agency and Microsoft published new details about the hackers’ digital espionage that Microsoft previously said affected some 25 organizations, including government agencies.
“Microsoft determined that APT actors accessed and exfiltrated unclassified Exchange Online Outlook data from a small number of accounts,” CISA said in a Friday update of an earlier advisory about the advanced persistent threat actors. “The APT actors used a Microsoft account (MSA) consumer key to forge tokens to impersonate consumer and enterprise users.”
Precisely how the hacking group obtained the Microsoft account consumer key is “a matter of ongoing investigation,” the Big Tech company said in a Friday blog post.
Microsoft said the advanced persistent threat actor Storm-0558 is based in China and has the capability to download emails, attachments and other data from email accounts.
“In past activity observed by Microsoft, Storm-0558 has primarily targeted U.S. and European diplomatic, economic, and legislative governing bodies, and individuals connected to Taiwan and Uyghur geopolitical interests,” Microsoft said. “Historically, this threat actor has displayed an interest in targeting media companies, think tanks, and telecommunications equipment and service providers.”
Details on who in the Biden administration was affected by the email theft are not fully known, though hacked officials are believed to include Commerce Secretary Gina Raimondo. The Commerce Department is responsible for blacklisting foreign people and entities with restrictions on their work in the U.S. because of national security concerns.
The Biden administration has said it is on top of the matter and teaming with Microsoft to respond. National Security Adviser Jake Sullivan said last week that the federal government discovered the problem “fairly rapidly” and were able to stop additional breaches.
The identity of the hackers remains hazy, although Microsoft’s Friday update said the China-based hackers are technically skilled and well-resourced, and their core working hours are consistent with the work day in China.
Senate Select Committee on Intelligence Chairman Mark R. Warner said last week that those responsible for the breaches appear to have connections to Chinese intelligence.
“It’s clear that the PRC [People’s Republic of China] is steadily improving its cyber collection capabilities directed against the U.S. and our allies,” Mr. Warner said in a statement. “Close coordination between the U.S. government and the private sector will be critical to countering this threat.”
• This article is based in part on wire service reports.
• Ryan Lovelace can be reached at rlovelace@washingtontimes.com.
Please read our comment policy before commenting.