In a significant cybersecurity breach, hackers supported by China managed to steal a crucial digital consumer key from Microsoft. This key allowed them unhindered entry into US government email accounts, marking one of the most substantial security breaches in both corporate and government sectors.
The threat actor, identified as Storm-0558, used an acquired Microsoft account (MSA) consumer key to generate tokens, granting them access to Outlook Web App (OWA) and Outlook.com.
Reportedly, Microsoft's investigation revealed that a crash in the consumer signing system in April 2021 led to a snapshot of the process, commonly known as a crash dump. Normally, these dumps should not include sensitive information, like the signing key. However, due to a race condition, the key ended up in the crash dump. This issue has since been rectified.
ALSO READ | Reddit introduces post translation feature for 8 languages
The presence of the key material in the crash dump went undetected by Microsoft's systems, but this loophole has also been addressed. The hackers used this digital skeleton key to infiltrate both personal and enterprise email accounts of government officials hosted on Microsoft's platform.
Following the incident, the crash dump, initially believed to be devoid of key material, was moved from the isolated production network to the debugging environment on the connected corporate network.
ALSO READ | ASK GITA: India's AI sensation set to shine at G20 summit | Watch Video
Post-April 2021, with the key inadvertently leaked into the corporate environment via the crash dump, Storm-0558 successfully compromised a Microsoft engineer's corporate account. This account had access to the debugging environment containing the crash dump that mistakenly held the key.
Although specific evidence of this exfiltration wasn't retained due to log retention policies, Microsoft pointed to this mechanism as the most likely way the actor acquired the key.
