Raimondo is the only known Cabinet-level official to have their account compromised in the targeted cyberespionage campaign, according to U.S. officials familiar with the matter, who spoke on the condition of anonymity due to the matter’s sensitivity.
Chinese hackers breach email of Commerce Secretary Raimondo and State Department officials
The State Department discovered the Microsoft vulnerability, which affected unclassified government systems, last month
Chinese cyberspies, exploiting a fundamental gap in Microsoft’s cloud, hacked email accounts at the Commerce and State departments, including that of Commerce Secretary Gina Raimondo — whose agency has imposed stiff export controls on Chinese technologies that Beijing has denounced as a malicious attempt to suppress its companies.
The hackers, looking for information useful to the Chinese government, had access to the email accounts for about a month before the issue was discovered and access cut off, said officials. The intrusion was discovered around the time of Secretary of State Antony Blinken’s trip to Beijing.
“U.S. government safeguards identified an intrusion in Microsoft’s cloud security, which affected unclassified systems,” National Security Council spokesman Adam Hodges said in a statement Tuesday to The Washington Post. “Officials immediately contacted Microsoft to find the source and vulnerability in their cloud service. We continue to hold the procurement providers of the U.S. government to a high security threshold.”
Microsoft disclosed late Tuesday that it had mitigated an attack by “a China-based threat actor” that primarily targets government agencies in Western Europe and focuses on espionage and data theft.
The Redmond, Wash.-based tech giant said the hackers, whom the firm calls Storm-0558, gained access on May 15. They did this by using forged authentication tokens to access user email using “an acquired Microsoft account consumer signing key,” according to a blog written by Charlie Bell, Microsoft’s executive vice president of security.
U.S. officials said they were investigating how the signing keys were obtained from Microsoft, which did not respond to written questions from The Post. “That is an area of urgent focus,” said the DHS official.
“This attack used a stolen key that Microsoft’s design failed to properly validate,” said Jason Kikta, chief information security officer at Automox and former head of private sector partnerships at U.S. Cyber Command. “The inability to do proper validation for authentication is a habit, not an anomaly.”
Microsoft has completed its mitigation of the attack for all customers, Bell wrote in the blog.
The State Department discovered the intrusion on June 16 and notified the company the same day, officials said. The diplomatic agency is a favorite target for foreign spy services. Russian government hackers have breached its networks at least twice, in 2014 and during the 2020 Solar Winds campaign.
In the latter incident, Russian hackers accessed U.S. government email accounts after exploiting software made by a Texas company called SolarWinds. Once inside a target network, the hackers exploited weaknesses in Microsoft’s system for authenticating users, using tokens that would improperly give them the same access as an administrator.
Officials stressed the latest breach was much narrower than the SolarWinds breach, which officials say affected nearly a dozen U.S. agencies.
Further underscoring Microsoft’s continuing security woes, the company confirmed Tuesday that its validation procedure had been manipulated to digitally sign dozens of pieces of software. And in yet a third incident, it warned that Russian actors it blames for espionage and financial crimes were exploiting a previously unknown vulnerability in its Office program.
After the SolarWinds hack, Microsoft President Brad Smith testified to the Senate that its code had not been vulnerable, instead blaming customers for common configuration mistakes and poor controls, including cases “where the keys to the safe and the car were left out in the open.”
Following the SolarWinds fiasco, Microsoft agreed to provide more log access free to government customers. It was that capability that allowed the government to identify the latest intrusion, the DHS official said.
Not everyone had that visibility, however.
“It is our perspective that every organization using a technology service like Microsoft 365 should have access to logging and other security data out of the box,” said the DHS official.
The latest incident strengthens the administration’s hand as it pushes for cloud and software providers to be held more accountable for security failings, a key part of its National Cybersecurity Strategy.
The U.S. government has already tightened cybersecurity rules for vendors whose software and hardware it uses.