17 July 2023

Microsoft shares more details on Chinese Storm-0558 attack


Microsoft shares more details on Chinese Storm-0558 attack

Microsoft has published technical details on a recently disclosed cyber-espionage campaign by a China-based threat actor it tracks as Storm-0558 in which the group breached an unidentified number of email accounts linked to around 25 organizations, including some related individual consumer accounts and government agencies in Western Europe and the US.

The threat actor leveraged forged authentication tokens to access impacted email accounts via Outlook Web Access in Exchange Online (OWA) and Outlook.com. The attacks have been taken place from May 15, 2023, to June 16 when Microsoft began its investigation following a customer report.

Microsoft says that it discovered some overlaps with other China-linked hacker groups such as Violet Typhoon (Zirconium, APT31) but it appears that Storm-0558 operates as a separate group. Previously, Storm-0558 has primarily targeted US and European diplomatic, economic, and legislative governing bodies, and individuals connected to Taiwan and Uyghur geopolitical interests.

The threat actor commonly compromises its targets using breached email accounts belonging to employees of targeted organizations.

“Storm-0558 pursues this objective through credential harvesting, phishing campaigns, and OAuth token attacks. This threat actor has displayed an interest in OAuth applications, token theft, and token replay against Microsoft accounts since at least August 2021,” the tech giant said. “Storm-0558 operates with a high degree of technical tradecraft and operational security. The actors are keenly aware of the target’s environment, logging policies, authentication requirements, policies, and procedures. Storm-0558’s tooling and reconnaissance activity suggests the actor is technically adept, well-resourced, and has an in-depth understanding of many authentication techniques and applications.”

As for the recent attacks, the Windows maker has admitted that it still doesn’t know how the threat actors have obtained an inactive Microsoft account (MSA) consumer signing key used to breach the Exchange Online and Azure AD accounts.

“The method by which the actor acquired the key is a matter of ongoing investigation,” Microsoft noted, adding that all MSA keys active prior to the incident, including the actor-acquired MSA signing key, have been invalidated. Azure AD keys were not impacted.

“No key-related actor activity has been observed since Microsoft invalidated the actor-acquired MSA signing key. Further, we have seen Storm-0558 transition to other techniques, which indicates that the actor is not able to utilize or access any signing keys. We continue to explore other ways the key may have been acquired and add additional defense in depth measures,” Microsoft said.

Back to the list

Latest Posts

North Korean hackers caught collaborating with Play ransomware

North Korean hackers caught collaborating with Play ransomware

The theory is that Andariel is either working as an affiliate of Play ransomware or serving as an initial access broker.
31 October 2024
Large-scale phishing campaign targeting Ukraine's taxpayers

Large-scale phishing campaign targeting Ukraine's taxpayers

The attack deploys the Litemanager RMT, which provides unauthorized access to the infected computer.
30 October 2024
Ongoing malvertising campaign hijacks Facebook accounts to distribute SYS01Stealer malware

Ongoing malvertising campaign hijacks Facebook accounts to distribute SYS01Stealer malware

Threat actors use Meta’s platform to promote fake advertisements for popular software tools.
30 October 2024