US review board to investigate Microsoft email breach

The Department of Homeland Security in the US has directed the Cyber Safety Review Board to look into a Microsoft hack that led to the emails of numerous government agencies being accessed by a Chinese threat actor.

Microsoft and the US Cybersecurity and Infrastructure Security Agency reported suspicious activity on 16 June.

Microsoft’s investigators uncovered the Storm-0558 group accessing Outlook accounts using forged authentication tokens. The threat actor had been accessing accounts from at least 15 May and had already targeted 25 organisations, both in the US and in Western Europe.

“The actor exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail,” Microsoft said in a blog post. “We have no indications that Azure AD keys or any other MSA keys were used by this actor. OWA and Outlook.com are the only services where we have observed the actor using tokens forged with the acquired MSA key.”

============

However, the breach and Microsoft’s actions in dealing with the incident will now be thoroughly reviewed.

“The CSRB will assess the recent Microsoft Exchange Online intrusion, initially reported in July 2023, and conduct a broader review of issues relating to cloud-based identity and authentication infrastructure affecting applicable CSPs and their customers,” said Homeland Security in a statement. “The department began considering whether this incident would be an appropriate subject of the board’s next review immediately upon learning of the incident in July. The board will develop actionable recommendations that will advance cyber security practices for both cloud computing customers and CSPs themselves. Once concluded, the report will be transmitted to President Joseph R. Biden, Jr. through Secretary [Alejandro] Mayorkas and Cybersecurity and Infrastructure Security Agency (CISA) director Jen Easterly.”

According to The Washington Post, the Chinese hackers accessed accounts at both the state and commerce departments. Gina Raimondo, the Commerce Secretary, was particularly targeted.

“Raimondo is the only known cabinet-level official to have their account compromised in the targeted cyber espionage campaign, according to US officials familiar with the matter, who spoke on the condition of anonymity due to the matter’s sensitivity,” The Washington Post reported.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.