The threat actor, which Microsoft tracks as Storm-0558, also gained access to consumer email accounts of people associated with these organizations, Microsoft warned. Microsoft said the hacking group typically targets Western European governments for espionage, data theft and credential access.
“Chinese cyber espionage has come a long way from the smash and grab tactics many of us are familiar with,” John Hultquist, chief analyst for Mandiant at Google Cloud, said in a statement. “They have transformed their capability from one that was dominated by broad, loud campaigns that were far easier to detect.”
The Cybersecurity and Infrastructure Security Agency and the FBI said officials at a federal civilian agency, later identified by the New York Times as the State Department, detected unusual activity in their Microsoft 365 environment in mid-June and notified Microsoft about the incident.
"What's implicit there is that the U.S. government customer referenced in the advisory was able to identify the problem, work with Microsoft and CISA in mitigating the problem and CISA and the FBI have been able to produce an advisory,” Acting National Cyber Director Kemba Walden said Wednesday afternoon during a separate conference call on the national cybersecurity strategy.
“That is exactly what is at the heart of the strategy and frankly, at the heart of the implementation plan, collaboration between the public sector and the private sector to make sure that downtimes are swift and that the impact is not catastrophic,” Walden said.
Microsoft investigated and realized an advanced persistent threat actor gained access to and stole unclassified Exchange Online Outlook data from a small number of accounts. Microsoft and federal officials determined the activity began in May and lasted about a month.
Federal officials have not attributed the attacks to a particular country, but confirmed an APT actor was involved.
State Department officials confirmed the agency was hacked, but declined to provide details about how they responded.
“The Department of State detected anomalous activity, took immediate steps to secure our systems, and will continue to closely monitor and quickly respond to any further activity,” a spokesperson said via email. “As a matter of cybersecurity policy, we do not discuss details of our response and the incident remains under investigation.”
The agency, “has a robust cyber security program to protect our systems and information and works continuously to build resilience and stay ahead of malicious actors,” the spokesperson added. “We continuously monitor our networks and update our security procedures.”
The hackers used forged authentication tokens in order to access email with a Microsoft consumer signing key, according to Microsoft. A small number of individuals at targeted organizations were also hit by the hackers. Federal officials said they are still investigating the root cause of the attacks.
A senior CISA official confirmed during a conference call with media on Wednesday that the total number of U.S. organizations impacted by the attack was in the single digits.
CISA and the FBI are urging critical infrastructure providers to enable audit logging. Any organization detecting unusual activity in their cloud or on-premises environment should contact CISA or the FBI, officials said during the call.