Microsoft was the target of an attack by Chinese hackers earlier this summer. Following an in-depth investigation, the Redmond giant discovered how these hackers managed to steal a public signature key, a critical piece of data that unfortunately ended up in the wrong place at the wrong time.
In early July, Microsoft revealed that a group of Chinese hackers, dubbed Storm-0558, had managed to infiltrate the Outlook inboxes of around 25 US government organisations. For a month, these hackers had access to all the conversations of several agencies, including the Departments of Commerce and State. European government agencies were also affected.
More than two months after the attack, Microsoft has published a detailed report on the circumstances surrounding the incident. The company's investigation indicates that the initial stages of the hack date back to April 2021.
Microsoft identified the origin of this intrusion. At the time, a failure in the public signature system, which is responsible for verifying the authenticity and integrity of messages and digital documents, led to the unintentional creation of a copy of the state of the system at a given time. This copy generated a debugging file, known as a 'crash dump', which records the state of a computer system when it encounters a fatal error. Unfortunately, this file, created automatically, contained a Microsoft public signature key.
According to the company, this file should never contain sensitive information. Since this incident, Microsoft claims to have corrected the flaw. In theory, signature keys should no longer be found in files generated during a crash dump. It was thanks to this signature key that the Storm-0558 hackers were able to carry out their operation. They used this key to generate "authentication tokens" that enabled them to authenticate themselves to the servers as legitimate email users, thus giving them access to the Outlook accounts targeted.
However, how Storm-0558 obtained this signature key remains a mystery. Microsoft's investigation reveals that the crash dump file containing the sensitive data was transferred from "debug mode" to the company's network, which is connected to the Internet.
Apparently, the hackers took control of the account of a Microsoft engineer to move the file shortly after its creation. This account, compromised at an earlier stage, had access to "debug mode". From there, the hackers simply extracted the sensitive data via the Internet. The signature key was not exploited until two years later. We can assume that the hackers stumbled across the encryption key by chance while rummaging through the engineer's account. All the flaws have since been corrected, according to Microsoft's assurances, which state that they have no concrete proof of the attackers' modus operandi:
We do not have logs containing specific evidence of this exfiltration by this actor, but this is the most likely mechanism by which he acquired the key.
Microsoft has made significant improvements to its security systems in response to this attack. In particular, the group has strengthened the analysis of "identification information" to better detect the presence of the signature key in the debugging environment. In addition, Microsoft is actively working to prevent sensitive data from ending up again in files automatically generated in the event of a failure.
Leave feedback about this