In two blog posts published on Tuesday, Microsoft disclosed that a China-based hacking group — which the company refers to as “Storm-0558” — is intent on “gaining access to email systems for intelligence collection.” It said the espionage-focused group breached an unidentified number of email accounts linked to around 25 organizations, including some related individual consumer accounts and government agencies in Western Europe and the US.
According to The Washington Post, it was the US government that notified Microsoft of the exploit. “Officials immediately contacted Microsoft to find the source and vulnerability in their cloud service,” National Security Council spokesperson Adam Hodges said to the publication. “We continue to hold the procurement providers of the US government to a high security threshold.”
The group used forged authentication tokens to access impacted email accounts via Outlook Web Access in Exchange Online (OWA) and Outlook.com from May 15th, remaining undetected for a month until Microsoft began its investigation on June 16th following “customer reported information.”
The attack seemingly hasn’t compromised emails connected to the Pentagon, military, and intelligence community
The hack affected unclassified systems and doesn’t appear to have compromised email accounts linked to the Pentagon, military, or intelligence community, according to The Washington Post’s sources.
Microsoft has contacted and implemented mitigations for all customers targeted during the security breach. The tech giant said it’s hardened its defenses by adding “substantial automated detections” to flag activity associated with the attack and is now working with the Department of Homeland Security’s cyber defense agency to protect affected users. The remaining organizations and government agencies compromised by the hackers have not been disclosed.
Update July 13th 9.30AM ET: Added more recent estimates and details about the number of SolarWinds customers compromised via the malicious update in 2020.