Microsoft reveals how hackers stole its email signing key... kind of

Zack Whittaker

September 8, 2023 at 5:15 PM·5 min read

A series of unfortunate and cascading mistakes allowed a China-backed hacking group to steal one of the keys to Microsoft's email kingdom that granted near unfettered access to U.S. government inboxes. Microsoft explained in a long-awaited blog post this week how the hackers pulled off the heist. But while one mystery was solved, several important details remain unknown.

To recap, Microsoft disclosed in July that hackers it calls Storm-0558, which it believes are backed by China, "acquired" an email signing key that Microsoft uses to secure consumer email accounts like Outlook.com. The hackers used that digital skeleton key to break into both the personal and enterprise email accounts of government officials hosted by Microsoft. The hack is seen as a targeted espionage campaign aimed at snooping on the unclassified emails of U.S. government officials and diplomats, reportedly including U.S. Commerce Secretary Gina Raimondo and U.S. Ambassador to China Nicholas Burns.

How the hackers obtained that consumer email signing key was a mystery — even to Microsoft — until this week when the technology giant belatedly laid out the five separate issues that led to the eventual leak of the key.

Microsoft said in its blog post that in April 2021, a system used as part of the consumer key signing process crashed. The crash produced a snapshot image of the system for later analysis. This consumer key signing system is kept in a "highly isolated and restricted" environment where internet access is blocked to defend against a range of cyberattacks. Unbeknownst to Microsoft, when the system crashed, the snapshot image inadvertently included a copy of the consumer signing key 1️⃣ but Microsoft's systems failed to detect the key in the snapshot 2️⃣.

The snapshot image was "subsequently moved from the isolated production network into our debugging environment on the internet connected corporate network" to understand why the system crashed. Microsoft said this was consistent with its standard debugging process, but that the company's credential scanning methods also did not detect the key's presence in the snapshot image 3️⃣.

Then, at some point after the snapshot image was moved to Microsoft's corporate network in April 2021, Microsoft said that the Storm-0558 hackers were able to "successfully compromise" a Microsoft engineer's corporate account, which had access to the debugging environment where the snapshot image containing the consumer signing key was stored. Microsoft said it cannot be completely certain this was how the key was stolen because "we don’t have logs with specific evidence of this exfiltration," but said this was the "most probable mechanism by which the actor acquired the key."

As for how the consumer signing key granted access to enterprise and corporate email accounts of several organizations and government departments, Microsoft said its email systems were not automatically or properly performing key validation 4️⃣, which meant that Microsoft's email system would "accept a request for enterprise email using a security token signed with the consumer key," 5️⃣ the company said.

Mystery solved? Not quite

Microsoft's admission that the consumer signing key was probably stolen from its own systems ends a theory that the key may have been obtained elsewhere.

But the circumstances of how exactly the intruders hacked into Microsoft remains an open question. When reached for comment, Jeff Jones, senior director at Microsoft, told TechCrunch that the engineer's account was compromised using "token-stealing malware," but declined to comment further.

Token-stealing malware, which can be delivered by phishing or malicious links, seek out session tokens on a victim's computer. Session tokens are small files that allow users to stay persistently logged-in without having to constantly re-enter a password or re-authorize with two-factor authentication. As such, stolen session tokens can grant an attacker the same access as the user without needing the user's password or two-factor code.

It's a similar attack method to how Uber was breached last year by a teenage hacking crew called Lapsus$, which relied on malware to steal Uber employee passwords or session tokens. Software company CircleCi was also similarly compromised in January after the antivirus software the company was using failed to detect token-stealing malware on an engineer's laptop. LastPass, too, had a major data breach of customers' password vaults after hackers broke into the company's cloud storage by way of a compromised LastPass developer's computer.

How the Microsoft engineer's account was compromised is an important detail that could help network defenders prevent a similar incident in the future. It's not clear if the engineer's work-issued computer was compromised, or if it was a personal device that Microsoft allowed on its network. In any case, the focus on an individual engineer seems unfair given the real culprits for the compromise are the network security policies that failed to block the (albeit highly skilled) intruder.

What is clear is that cybersecurity is incredibly difficult, even for corporate mega-giants with near-limitless cash and resources. Microsoft engineers imagined and considered a wide range of the most complex threats and cyberattacks in designing protections and defenses for the company's most sensitive and critical systems, even if those defenses ultimately failed. Whether Storm-0558 knew it would find the keys to Microsoft's email kingdom when it hacked into the company's network or it was pure chance and sheer timing, it's a stark reminder that cybercriminals often only need to be successful once.

There seems to be no apt analogy to describe this unique breach or circumstances. It's both possible to be impressed by the security of a bank's vault and still acknowledge the efforts by the robbers who stealthily stole the loot inside.

It's going to be some time before the full scale of the espionage campaign becomes clear, and the remaining victims whose emails were accessed have yet to be publicly disclosed. The Cyber Security Review Board, a body of security experts tasked with understanding the lessons learned from major cybersecurity incidents, said it will investigate the Microsoft email breach and conduct a broader review of issues "relating to cloud-based identity and authentication infrastructure.”

Microsoft lost its keys, and the government got hacked

Yahoo Sports
NFL Draft: Packers fan upset with team's 1st pick, and Lions fans hilariously rubbed it in
Not everyone was thrilled with their team's draft on Thursday night.
1d ago
Yahoo Sports
NFL to allow players to wear protective Guardian Caps in games beginning with 2024 season
The NFL will allow players to wear protective Guardian Caps during games beginning with the 2024 season. The caps were previously mandated for practices.
17h ago
Yahoo Sports
Michael Penix Jr. said Kirk Cousins called him after Falcons' surprising draft selection
Atlanta Falcons first-round draft pick Michael Penix Jr. said quarterback Kirk Cousins called him after he was picked No. 8 overall in one of the 2024 NFL Draft's more puzzling selections.
15h ago
Yahoo Sports
Panthers owner David Tepper stopped by Charlotte bar that criticized his draft strategy
“Please Let The Coach & GM Pick This Year" read a sign out front.
19h ago
Yahoo Sports
NBA playoffs: Tyrese Hailburton game-winner and potential Damian Lillard Achilles injury leaves Bucks in nightmare
Tyrese Haliburton hit a floater with 1.1 seconds left in overtime to give the Indiana Pacers a 121–118 win over the Milwaukee Bucks. The Pacers lead their first-round playoff series two games to one.
14h ago
Yahoo Sports
Korey Cunningham, former NFL lineman, found dead in New Jersey home at age 28
Cunningham played 31 games in the NFL with the Cardinals, Patriots and Giants.
20h ago
Yahoo Sports
Based on the odds, here's what the top 10 picks of the NFL Draft will be
What would a mock draft look like using just betting odds?
5d ago
Yahoo Sports
Luka makes Clippers look old, Suns are in big trouble & a funeral for Lakers | Good Word with Goodwill
Vincent Goodwill and Tom Haberstroh break down last night’s NBA Playoffs action and preview several games for tonight and tomorrow.
3d ago
Yahoo Sports
Fantasy Baseball Waiver Wire: Widely available players ready to help your squad
Andy Behrens has a fresh batch of priority pickups for fantasy managers looking to close out the week in strong fashion.
1d ago
Yahoo Sports
Dave McCarty, player on 2004 Red Sox championship team, dies 1 week after team's reunion
The Red Sox were already mourning the loss of Tim Wakefield from that 2004 team.
7d ago

News

Life

Entertainment

Finance

Sports

New on Yahoo

Microsoft reveals how hackers stole its email signing key... kind of

Mystery solved? Not quite

Recommended Stories

NFL Draft: Packers fan upset with team's 1st pick, and Lions fans hilariously rubbed it in

NFL to allow players to wear protective Guardian Caps in games beginning with 2024 season

Michael Penix Jr. said Kirk Cousins called him after Falcons' surprising draft selection

Panthers owner David Tepper stopped by Charlotte bar that criticized his draft strategy

NBA playoffs: Tyrese Hailburton game-winner and potential Damian Lillard Achilles injury leaves Bucks in nightmare

Korey Cunningham, former NFL lineman, found dead in New Jersey home at age 28

Based on the odds, here's what the top 10 picks of the NFL Draft will be

Luka makes Clippers look old, Suns are in big trouble & a funeral for Lakers | Good Word with Goodwill

Fantasy Baseball Waiver Wire: Widely available players ready to help your squad

Dave McCarty, player on 2004 Red Sox championship team, dies 1 week after team's reunion