Microsoft said its engineers detected the data breach in June, when a Chinese hacker identified as Storm-0558 was found to have accessed email accounts at several government agencies. Photo by John Angelillo/UPI | License Photo
Sept. 7 (UPI) -- Microsoft published the findings of an internal investigation detailing how a suspected Chinese hacker pried into email accounts at government agencies in the United States and Europe for more than two years before the breach was discovered in June.
The report, released Wednesday, said the Chinese-based cybercriminal who goes by the handle Storm-0558 first gained access to the Microsoft emails of high-level officials in April 2021.
In a statement, the global tech giant said it has wrapped up a comprehensive technical investigation that determined the hacker used a consumer key from a legitimate Microsoft account to forge security tokens that allowed backdoor access to Outlook.com.
The breach, which was first reported by the Wall Street Journal in July, was discovered by technical staff at the State Department on June 16 after nine U.S. organizations and agencies and more than two dozen global entities were targeted through apparent cracks in Microsoft's cloud security system.
The investigation has since determined the trail of suspect activity by the hacker went back as far as April 2021, when an apparent bug caused Microsoft's email system to crash, resulting in a data purge that inexplicably contained an access key to the emails.
At the time, the system didn't alert IT to the issue as it should have, and the crack went unnoticed until just two months ago.
During the purge, Storm-0558 came upon the access key and used it to hack into the unclassified email accounts of numerous high-level officials, including Commerce Secretary Gina Raimondo, U.S. Ambassador to China Nicholas Burns, and Assistant Secretary of State for East Asia Daniel Kritenbrink, as well as a host of research institutes and administrative officials across the country.
Microsoft said Wednesday that it released the investigative findings "as part of our commitment to transparency and trust," adding that the company was working to tighten up its security protocols.
The company said it has implemented stronger internal controls since the breach, including background checks on employees, credential scanning, dedicated cloud servers, secure workstations, data encryption, and multi-factor authentication when workers log in.
Microsoft said it was taking further steps to restrict access to some of its more sensitive internal data and to prohibit workers from using online collaboration tools that had potential to expose the company to malware and phishing.
"For this reason -- by policy and as part of our Zero-Trust and 'assume breach' mindset -- key material should not leave our production environment," Microsoft said, referring to emails, conferencing, and web research tools that were used previously by corporate-level employees. "While these tools are important, they also make users vulnerable to spear phishing, token stealing malware, and other account compromise vectors."
At the outset of the investigation, Microsoft said it was unsure about the full scope of the breach, but by Wednesday the company said it felt sure it had gotten to the bottom of the issue, and that technical staff was rolling out several new software fixes to debug the system.
"Microsoft is continuously hardening systems as part of our defense in depth strategy," the statement said.
The company said it has fixed the issue that allowed the consumer signing key to be present during the 2021 data purge. Technicians also enhanced internal tools that would prevent sensitive materials from being swept up in future crash dumps.