Share this article on:
A China-based threat actor has been spotted targeting Western European and US agencies in an ongoing espionage campaign designed to steal data and collect user credentials.
Microsoft and the US Cybersecurity and Infrastructure Security Agency report that suspicious activity was spotted by a member of a US federal agency on 16 June.
Upon investigation, Microsoft discovered the threat actor behind the campaign, Storm-0558, attempting to access Outlook accounts using forged authentication tokens. The threat actor had been accessing accounts from at least 15 May and had already targeted 25 organisations, both in the US and in Western Europe.
However, as of 11 July, Microsoft has reported that it has totally blocked the campaign, contacted the affected organisations, and offered to assist with any further mitigation efforts.
“The actor exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail,” Microsoft said in a blog post. “We have no indications that Azure AD keys or any other MSA keys were used by this actor. OWA and Outlook.com are the only services where we have observed the actor using tokens forged with the acquired MSA key.”
Microsoft has since blocked the usage of any tokens signed by the particular MSA key and has replaced the key itself.
“We have continuously improved the security of the MSA key management systems since the acquired MSA key was issued, as part of defence in depth, to ensure the safety and security of consumer keys,” Microsoft concluded.
Dan Schiappa, chief product officer at Arctic Wolf, feels the threat of Chinese-backed espionage operations is only going to grow.
“Unfortunately, Microsoft’s findings aren’t surprising, and this won’t be the last news-making story of this nature,” Schiappa told Cyber Security Connect via email. “In the security community, we’ve been warning of a surge in Chinese state-sponsored activity for a while now, as both the domestic and geopolitical tensions with China continue to rise.”
“Chinese threat activity is not financially motivated; it is focused on spycraft, which lends itself to long-term, undetected attacks. It’s important to look at the big picture of this incident, with the backdrop of the current technology race between China and the US, particularly with the rise of AI. It’s clear that research, development, and government data have become high-value targets as AI becomes the new battlefield for the tech cold war.”
Schiappa also believes that China is very much looking down under and that the rise in supply chain attacks could well lead to that being a growing vector for espionage.
“Recent high-profile attacks show Australia is also in the crosshairs of these threat actors. For businesses with any government contracts or relationships with those that are involved with bleeding-edge technology research or military-grade operations, an unassuming third-party vendor could be the vehicle of intrusion and intelligence gathering,” Schiappa said.
“Patching even the smallest vulnerability and enforcing a culture of security across all users, particularly as forged authentication tokens and stolen credentials run rampant on the dark web, can be the difference between an incident and a close call.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.