A recent cybersecurity breach of U.S. government emails may have reached further than initially thought, according to a new report by the cybersecurity firm Wiz.inc.
Earlier this month, Microsoft and U.S. government cybersecurity experts identified a breach of email systems tied to 25 organizations, including several U.S. government agencies. Microsoft attributed the security breach, which likely occurred in May, to a Chinese government-linked hacking group called Storm-0558. According to Microsoft, Storm-0558 obtained a private encryption key, known as an MSA key, and used it to forge access tokens for the Outlook Web Access (OWA) and Outlook.com services.
The U.S. government has provided few details about the exact extent of this hacking incident. Reports have indicated that email accounts for U.S. Commerce Secretary Gina Raimondo were impacted, as were accounts belonging to U.S. Ambassador to China Nicholas Burns, and Assistant Secretary of State for East Asian and Pacific Affairs Daniel Kritenbrink.
At a July 12 press briefing, officials with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said that no sensitive information was stolen during the hack.
Microsoft assessed that the hack only impacted its Outlook.com and Exchange Online services.
On Friday, Wiz published its own assessment finding that the way the hack had taken place could indicate a larger breach than Microsoft or U.S. government officials have let on thus far.
“Our researchers concluded that the compromised MSA key could have allowed the threat actor to forge access tokens for multiple types of Azure Active Directory applications, including every application that supports personal account authentication, such as SharePoint, Teams, OneDrive, customers’ applications that support the ‘login with Microsoft’ functionality, and multi-tenant applications in certain conditions,” wrote Wiz researcher Shir Tamari.
While Microsoft says it has mitigated the threat posed by the hacked MSA key and published new indicators of compromises, Wiz assessed that “it may be difficult for customers to detect the use of forged tokens against their applications due to lack of logs on crucial fields related to the token verification process.”
Describing the security concerns Wiz raised, cybersecurity researcher Jake Williams wrote on Twitter, “This is a nightmare scenario for those assessing impact. A significant number of third-party applications use Microsoft as an authentication provider. We now know they are potentially impacted. Few third party apps provide sufficient logging to detect misuse.”
Microsoft has denied Azure Active Directory applications have been harmed by the Storm-0558 hack.
In response to the Wiz report, a Microsoft spokesperson told NTD News: “This blog highlights some hypothetical attack scenarios, but we’ve not observed those outcomes in the wild. We recommend that customers review our blogs, specifically our Microsoft Threat Intelligence blog, to learn more about this incident and investigate their own environments using the Indicators of Compromise (IOCs) that we’ve made public.”
Microsoft Increasing Security Measures
This cybersecurity breach has brought scrutiny on Microsoft and its contracts with various corporate and government offices.
Sen. Ron Wyden (D-Ore.) said Microsoft should offer all of its full forensic capabilities to all of its customers, saying that “charging people for premium features necessary to not get hacked is like selling a car and then charging extra for seatbelts and airbags.”
Amid this pressure, Microsoft announced on July 19 that it would begin providing its standard Microsoft Purview Audit customers with “deeper visibility into security data, including detailed logs of email access and more than 30 other types of log data previously only available at the Microsoft Purview Audit (Premium) subscription level.”
“In response to the increasing frequency and evolution of nation-state cyberthreats, Microsoft is taking additional steps to protect our customers and increase the secure-by-default baseline of our cloud platforms,” the company announced. “These steps are the result of close coordination with commercial and government customers, and with the Cybersecurity and Infrastructure Security Agency (CISA) about the types of security log data Microsoft provides to cloud customers for insight and analysis.”
CISA Director Jen Easterly praised Microsoft’s announcement, saying, “While we recognize this will take time to implement, this is truly a step in the right direction toward the adoption of Secure by Design principles by more companies.”
Reuters contributed to this article.