Hackers, possibly linked to China’s intelligence agencies, are being blamed for a monthlong campaign that breached some unclassified U.S. email systems, allowing them to access to a small number of accounts at the U.S. State Department and a handful of other organizations.
Microsoft first announced the intrusion Tuesday, attributing the attack on its Outlook email service to Chinese threat actors it dubbed Storm-0558.
The company said in a blog post that the hackers managed to forge a Microsoft authentication token and gain access to the email accounts of 25 organizations, both in the U.S. and around the globe, starting in mid-May.
The company said access was cut off after the breach was discovered a month later.
“We assess this adversary is focused on espionage, such as gaining access to email systems for intelligence collection,” Microsoft said. “This type of espionage-motivated adversary seeks to abuse credentials and gain access to data residing in sensitive systems.”
The State Department confirmed Wednesday that it had discovered the breach and had taken “immediate steps” to secure its systems and to notify Microsoft.
Some U.S. officials, however, were hesitant to back Microsoft’s attribution for the attack while saying the U.S. “would make all efforts to impose costs” on whoever was responsible.
“The sophistication of this attack, where actors were able to access mailbox content of victims, is indicative of APT [advanced persistent threat] activity but we are not prepared to discuss attribution at a more specific level,” a senior FBI official told reporters Wednesday, briefing them on the condition of anonymity.
According to senior officials with the FBI and the Cybersecurity and Infrastructure Security Agency (CISA), the number of U.S. victims of the Microsoft Outlook breach was in the single digits and only a small number of accounts were accessed.
They added that because the breach was detected quickly, the hackers did not have access to any email account for more than a month and never had access to any classified information or systems. In many cases, their access lasted only days.
Still, the officials noted reason for concern.
“The targeting was intentional,” said a senior CISA official who spoke to reporters on the condition of anonymity.
“This appears to have been a very targeted, surgical campaign that was not seeking the breadth of access we have seen in other campaigns,” the official added.
Despite the reluctance of some U.S. cyber officials to place the blame on China, there was no hesitation Wednesday from key U.S. lawmakers.
“The Senate Intelligence Committee is closely monitoring what appears to be a significant cybersecurity breach by Chinese intelligence,” Chairman Mark Warner said in a statement.
“It’s clear that the PRC is steadily improving its cyber collection capabilities directed against the U.S. and our allies,” the Virginia Democrat added. “Close coordination between the U.S. government and the private sector will be critical to countering this threat.”
Top U.S. intelligence, security and military officials have long warned about the growing cybersecurity threat posed by China-linked hackers.
Earlier this year, CISA Director Jen Easterly warned China “will almost certainly” employ aggressive cyber operations against the U.S. should tensions between Washington and Beijing get worse.
A separate Defense Department cyber strategy likewise warned of China’s increased investments in military cyber capabilities while also empowering a growing number of cyber proxies.
But John Hultquist, chief analyst at Google’s Mandiant cybersecurity intelligence operation, said this latest attack showed that the Chinese threat has evolved in a very dangerous way.
“Chinese cyber espionage has come a long way,” Hultquist said in an email. “They have transformed their capability from one that was dominated by broad, loud campaigns that were far easier to detect. They were brash before, but now they are clearly focused on stealth.”
VOA reached out to the Chinese Embassy in Washington about the allegations that Beijing was behind the Microsoft attack.
“China is against cyberattacks of all kinds and has suffered from cyber hacking,” Chinese Embassy spokesperson Liu Pengyu told VOA in an email. “As MFA (Ministry of Foreign Affairs) spokesperson has commented at regular press conference, the source of Microsoft's claim is information from the U.S. government authorities.”
Liu went on to call the U.S. “the biggest hacking empire and global cyber thief,” saying it was “high time that the U.S. explained its cyberattack activities and stopped spreading disinformation to deflect public attention.”
In its blog post about the latest breach Tuesday, Microsoft said it had managed to repair its systems for all of its customers.
The FBI and CISA on Wednesday separately issued a cybersecurity advisory, urging organizations using Microsoft Exchange Online to take steps to increase their security measures and also their monitoring of their systems to catch any suspicious activity.