Title: Suspected China-Backed Hackers May Have Accessed Protected Documents in Recent Attack, Researchers Warn
Subtitle: Concerns grow over the extent of the breach as Microsoft revokes stolen signing key
Date: [Current Date]
In a recent cyber attack that targeted high-profile U.S. officials, suspected China-backed hackers may have copied confidential documents and files protected by Microsoft login information, according to researchers. The breach, disclosed a week ago, has raised alarm among officials due to the sophisticated methods used by the attackers.
The attackers reportedly used a stolen or forged Microsoft signing key, which is used by the company to authenticate customers. With this key, the hackers could impersonate any Microsoft Exchange or Outlook email customer and gain access to employee inboxes. Experts from cloud security company Wiz have now concluded that those in possession of the signing key could have extended their access to other widely used Microsoft cloud offerings, including SharePoint, Teams, and OneDrive.
The researchers warned that the compromised signing key could have potentially allowed the threat actors to forge access tokens for multiple types of Azure Active Directory applications, including customer applications that offer the option to “login with Microsoft.” Wiz outlined their concerns in a detailed blog post, indicating the possibility of broader access to sensitive data.
Although Microsoft has taken action and revoked the signing key, preventing its use in future attacks, experts fear that the attackers may have left back doors in applications that would enable their return. Furthermore, some software may still recognize a session initiated by an expired key, adding to the complexity of the situation.
Microsoft has downplayed the likelihood of the attackers going beyond the targeted email accounts, which included Commerce Secretary Gina Raimondo and U.S. ambassador to China Nicholas Burns. A spokesperson for Microsoft dismissed some claims made by researchers as speculative and not evidence-based.
The Cybersecurity and Infrastructure Security Agency (CISA), the entity responsible for defending civilian arms of the U.S. government, has stated that there is no evidence to suggest that the attackers went beyond email accounts. Eric Goldstein, the executive assistant director for cybersecurity at CISA, assured the public that the investigation is ongoing and that collaboration with Microsoft continues.
Fortunately, no classified information is believed to have been taken in the breach. Microsoft has revealed that it was able to monitor each instance in which the stolen signing key was used and that approximately two dozen organizations worldwide were affected.
The attack was initially alerted by the State Department, which discovered the intrusion while reviewing activity logs provided by Microsoft following the SolarWinds hack in 2020. In response to this latest breach, Microsoft announced its intention to provide various types of logs free to private customers for enhanced visibility and prevention.
While Microsoft has already attributed the attack to a Chinese group and provided details on their techniques, the origin of the stolen signing key still remains under investigation.
Commenting on the situation, former National Security Agency analyst Jake Williams underscored the challenge of assessing the impact of the breach. He expressed concerns about the vulnerability of apps that allow Microsoft logins and the limited availability of logs for all affected applications.
Williams also noted that since the revoked signing key may not be blocked by all apps immediately, there is a risk that threat actors may continue exploiting it before its full effect is realized.
The recent findings highlight the vulnerability of cloud systems that underpin a growing number of software operations. As cyber attacks evolve in sophistication, organizations must prioritize robust security measures and continuous monitoring to prevent unauthorized access to sensitive data.