Chinese hackers accessed US government emails for a month

12 Jul 2023

Image: © Firn/

A Microsoft report says the China-based threat actor conducts espionage and data theft, with a focus on government agencies in Western Europe.

Microsoft has confirmed that hackers based in China were able to access the emails of 25 organisations, including some government agencies.

The company did not publicly reveal which government agencies were impacted but said the threat actor – dubbed Storm-0558 – primarily targets government agencies in Western Europe. Meanwhile, a US National Security Council spokesperson told CNN that the US government “identified an intrusion” in Microsoft’s cloud security last month.

Based on Microsoft’s investigation, this threat actor gained access to email data on 15 May. The company only started investigating on 16 June after receiving “customer reported information”. Microsoft said the attack has been mitigated.

“As with any observed nation-state actor activity, Microsoft has contacted all targeted or compromised organisations directly via their tenant admins and provided them with important information to help them investigate and respond,” the company said in a threat report.

Microsoft said this China-based threat actor conducts data collection with a focus on “espionage, data theft and credential access”.

“This type of espionage-motivated adversary seeks to abuse credentials and gain access to data residing in sensitive systems,” Microsoft said.

The company said Storm-0558 was able to gain access to these 25 organisations with “forged authentication tokens”, which were used to access user emails through an acquired Microsoft account (MSA) consumer signing key.

“The actor exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail,” Mircosoft said. “Outlook Web Access (OWA) and are the only services where we have observed the actor using tokens forged with the acquired MSA key.

“These well-resourced adversaries draw no distinction between trying to compromise business or personal accounts associated with targeted organisations, since it only takes one successfully compromised account login to gain persistent access, exfiltrate information and achieve espionage objectives,” Microsoft said.

“We need to continue to push the envelope on security so we’re prepared for whatever might come our way. We will continue to work with our customers and community to share information and strengthen our collective defences.”

In March, Microsoft issued a patch for a critical Outlook vulnerability, which was used by Russian hackers to launch cyberattacks on multiple European organisations.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic