US officials described the attacks as targeted and focused on a small number of accounts at the agencies that were breached, as opposed to hack seeking to steal large amounts of data. CISA and the FBI issued a joint advisory urging organisations to harden their Microsoft 365 cloud environments.
The hacking campaign got underway in the weeks before Secretary of State Antony Blinken arrived in Beijing to meet with top officials, including Chinese President Xi Jinping.
A key remaining question is how the hackers were able to pull of the breach.
The hackers used “forged authentication tokens to access user email using an acquired Microsoft account (MSA) consumer signing key,” Microsoft’s Bell said in his post. The hackers were then able to access Outlook email hosted on systems run and operated by Microsoft.
Loading
But how hackers obtained the signing key that gave them access to these emails remains unknown.
“The big question here really is where did they get the MSA-key to sign tokens,” said Sami Laiho, a computer security expert who specialises in Microsoft products. One possible explanation, Laiho said, is if Microsoft itself was breached.
Microsoft didn’t immediately respond to a request for comment about how hackers obtained the signing key.
The senior official used the news of the breach to highlight a source of tension between Microsoft and the US government: logging. Logs allow cybersecurity investigators to dig through digital clues left behind on their own systems to figure out if they’ve been hacked and who may be responsible.
More advanced logging can capture and record granular actions made by a user, like if a certain email was accessed.
At issue is whether Microsoft should sell logging as a premium add-on for government customers or include it in its product for free.
A lack of logging complicated the investigation into the so-called SolarWinds attack, which was disclosed in 2020. In that episode, Russian state-sponsored hackers installed a malicious update in software made by SolarWinds Corp., which installed a digital backdoor which they could then use to further infiltrate SolarWinds customers. Ultimately, nine US agencies and about 100 companies were breached via the SolarWinds update and other methods.
Microsoft offered its premium logging feature for free for about a year in the wake of the SolarWinds hack. CISA and others have said that logs should be free, maintaining that they are crucial for detecting and investigating security incidents.
On Wednesday, the senior officials said some of the affected US agencies paid for a premium logging feature and were able to detect the breach on their own. Microsoft, which retains the logs, was able to identify others who were hacked but don’t pay for logging.
Loading
Requiring organisations to pay for better logging is a recipe for inadequate visibility into what has occurred in networks, the official said, adding that the issue requires urgent attention.
Bloomberg
Get news and reviews on technology, gadgets and gaming in our Technology newsletter every Friday. Sign up here.