(Bloomberg) — Commerce Secretary Gina Raimondo was among the US officials whose emails were breached in a hack of government accounts that Microsoft Corp. has said originated from China, according to a person familiar with the matter.
Most Read from Bloomberg
Raimondo has been a prominent American figure implementing export curbs on advanced semiconductor technology to China, moves which Beijing has decried as undermining free trade and global supply chain stability. The person asked not to be identified discussing information that hasn’t been made public.
A Commerce Department spokesperson declined to comment or confirm the breach of Raimondo’s emails, which was reported earlier by the Washington Post. Microsoft also declined to comment late Wednesday night.
The Commerce and State Departments as well as agencies in Western Europe were also attacked, according to government officials and Microsoft.
Commerce took immediate action after being notified by Microsoft that the department had been breached, the spokesperson said earlier Wednesday.
When asked on Thursday about the claims that US officials were hacked, China’s Foreign Ministry said that “the US should account for its cyberattacks as soon as possible rather than spread false information and divert attention.”
When a Huawei Bid Turned Into a Hunt for a Corporate Mole
Last month, the US State Department identified anomalous activity and alerted Microsoft to the attack, according to a spokesperson, who said the agency had no reason to doubt that the hackers, who breached Microsoft Outlook accounts, were based in China.
“A subsequent investigation by the company determined that the hackers accessed and exfiltrated unclassified Exchange Online Outlook data from a small number of accounts,” according to a statement from the US Cybersecurity and Infrastructure Security Agency, known as CISA.
It wasn’t known what other US agencies were affected, but a senior official said the number was in the single digits.
Hacking Campaign Raises Fears China is Prepping for Conflict (1)
US officials described the attacks as targeted and focused on a small number of accounts at the agencies that were breached, as opposed to hack seeking to steal large amounts of data. CISA and the FBI issued a joint advisory urging organizations to harden their Microsoft 365 cloud environments.
The hacking campaign got underway in the weeks before Secretary of State Antony Blinken arrived in Beijing to meet with top officials, including Chinese President Xi Jinping, according to the officials.
In a blog post published Tuesday night, Microsoft described the group behind the attack as China-based, calling it Storm-0558. The hackers were able to remain undetected for a month after gaining access to email data from around 25 organizations in mid-May.
“We assess this adversary is focused on espionage, such as gaining access to email systems for intelligence collection,” Charlie Bell, an executive vice president at Microsoft, wrote in another post.
It also wasn’t clear which European governments were affected. Italian cybersecurity officials said they were in contact with Microsoft “in order to identify potential Italian subjects involved in the latest attacks.”
Asked about the findings, China’s Foreign Ministry spokesman Wang Wenbin, at a regular briefing on Wednesday, accused the US of being the world’s largest cyberattacker.
The hackers used “forged authentication tokens to access user email using an acquired Microsoft account (MSA) consumer signing key,” Microsoft’s Bell said in his post. The hackers were then able to access Outlook email hosted on systems run and operated by Microsoft.
But how hackers obtained the signing key that gave them access to these emails remains unknown.
“The big question here really is where did they get the MSA-key to sign tokens,” said Sami Laiho, a computer security expert who specializes in Microsoft products. One possible explanation, Laiho said, is if Microsoft itself was breached.
Microsoft didn’t immediately respond to a request for comment about how hackers obtained the signing key.
The senior official used the news of the breach to highlight a source of tension between Microsoft and the US government: logging. Logs allow cybersecurity investigators to dig through digital clues left behind on their own systems to figure out if they’ve been hacked and who may be responsible.
More advanced logging can capture and record granular actions made by a user, like if a certain email was accessed. At issue is whether Microsoft should sell logging as a premium add-on for government customers or include it in its product for free.
A lack of logging complicated the investigation into the so-called SolarWinds attack, which was disclosed in 2020. In that episode, Russian state-sponsored hackers installed a malicious update in software made by SolarWinds Corp., which installed a digital backdoor which they could then use to further infiltrate SolarWinds customers. Ultimately, nine US agencies about 100 companies were breached via the SolarWinds update and other methods.
Microsoft offered its premium logging feature for free for about a year in the wake of the SolarWinds hack. CISA and others have said that logs should be free, maintaining that they are crucial for detecting and investigating security incidents.
On Wednesday, the senior officials said some of the affected US agencies paid for a premium logging feature and were able to detect the breach on their own. Microsoft, which retains the logs, was able to identify others who were hacked but don’t pay for logging.
Requiring organizations to pay for better logging is a recipe for inadequate visibility into what has occurred in networks, the official said, adding that the issue requires urgent attention.
–With assistance from James Mayger, Justin Sink, Iain Marlow, Flavia Rotondi, Katrina Manson, Eric Martin and Colum Murphy.
(Updates with response from China’s Foreign Ministry.)
Most Read from Bloomberg Businessweek
©2023 Bloomberg L.P.