Microsoft claims hackers have breached government emails

Motivated threat actors continue to focus on compromising IT systems, as the rate of global cyber attacks increase
Microsoft releases information about hacker group Storm-0558 breaching email accounts of 25 high profile organisations, adding to increased cyber concerns

Microsoft has released information to suggest that a group of hackers have gained access to email accounts affecting approximately 25 organisations, including government agencies.

The company has published these details of activity by threat actor Storm-0558 which is believed to be China-based. In addition to implicating companies, the hackers are also believed to have access accounts of individuals likely associated with these organisations.

Motivated threat actors continue to focus on compromising IT systems, as the rate of global cyber attacks increase. Not only is this a threat to business, but also to political and government organisations whose data could be leaked.

Forged authentication threatens cyber operations

The investigation conducted by Microsoft has determined that Storm-0558 gained access to customer email accounts by using Outlook Web Access in Exchange Online (OWA) and by managing to forge authentication tokens to access user emails.

Microsoft has been working with impacted customers and notifying them prior to going public with this information. At this stage, the company has said that they hope to share details of the incident and threat actor to benefit cybersecurity within the industry. 

The company has claimed that this hack was focused on gaining access to these systems for intelligence collection and apparently gain access to sensitive data.

In a recent blog post, Microsoft stated that the group that it has identified as Storm-0558 was able to remain undetected for a month after gaining access to email data from around 25 organisations in mid-May. The software company only discovered the breach following an investigation in mid-June, after being alerted by customer reports about abnormal mail activity.

Microsoft has now confirmed that the actor activities have now been blocked. It mitigated this via blocking the usage of tokens in OWA to prevent further mail activity, as well as replacing the relevant MSA key. The company states that it is working to continuously improve the security of the MSA key management systems to ensure the safety and security of consumer keys.

Microsoft and other tech leaders in the industry have called for transparency concerning cyber incidents so that cybersecurity can continue to improve. The increased sophistication and volume of cyber attacks cannot be overlooked and tech organisations are seeing a greater need to share information in order to better protect cyber systems.

The consequences of the MOVEit ransomware attack for example highlight how back door cyberattacks on critical areas of business have potential to permanently impact organisations to the point of closure.


Featured Articles

Gary Merrill: Who Is Commvault’s First-Ever CCO?

Experiencing a period of rapid growth, Commvault have created the new position of CCO and given it to company veteran and former CFO Gary Merrill to lead

Xalient's Stephen Amstutz on Need for Cyber Staff Wellness

Stephen Amstutz, Director of Innovation at Xalient explains why cyber staff are getting stressed and what can be done to help

Worldwide IT Outage Not Cyber Attack - But Software Update

The global IT outage that is being described as one of the biggest ever is thankfully not being attributed to a cyber attack, but rather a software update

Companies Across Cyber Sphere Warn of Surge in DDoS attacks

Cyber Security

UK Takes Steps to Strengthen Country's Cyber Security

Cyber Security

BlueVoyant Launch Platform to Tackle Supplier Attack Surface

Operational Security