Microsoft announced on Tuesday that it successfully thwarted a cyberattack by a Chinese nation-state actor that was aimed at two dozen organizations, some of which were government institutions, in an effort to obtain sensitive data.
Approximately 25 companies were impacted by the attacks, which started on May 15, 2023, and a limited number of associated individual consumer accounts.
The tech giant traced the effort to Storm-0558, a nation-state action organization operating out of China that particularly targets Western European governments.
According to Microsoft, they "focus on espionage, data theft, and credential access." Additionally, they have a history of using unique viruses, such as Cigril and Bling, which Microsoft monitors.
The breach is believed to have been discovered one month later, on June 16, 2023, after an unnamed customer alerted the business to some unusual email behavior.
Microsoft said that it directly alerted all affected or targeted firms through their tenant administration. The number of accounts that might have been compromised as well as the companies and agencies that were impacted were not mentioned.
However, the researchers claim that the attackers also gained access to many non-classified U.S. email accounts.
According to Researchers, the forgery of authentication credentials allowed access to user email accounts via Outlook Web Access in Exchange Online (OWA) and Outlook.com.
"The actor used forged tokens to access OWA and Outlook.com," it said. "The actor used an acquired MSA key." MSA (consumer) keys and Azure AD (business) keys are generated and managed by different systems, and they should only be used with the corresponding services, according to Microsoft.
The actor impersonated Azure AD users to access enterprise mail by taking advantage of a token validation flaw.
There is no proof that the threat actor employed any MSA or Azure AD keys in the attacks. In order to counteract the attack, Microsoft has since disabled the use of tokens signed with the acquired MSA key in OWA.
This kind of espionage-motivated adversary seeks to exploit credentials and obtain access to data stored in sensitive systems.