Chinese Hackers Stole 60,000 US State Department Emails from Microsoft

Chinese hackers have struck again!

Thousands of emails belonging to the US State Department were stolen in a data breach targeting Microsoft Outlook accounts.

Chinese hackers are responsible for breaching the security of Microsoft’s cloud-based Exchange email platform, which occurred in May 2023. Apart from stealing tens of thousands of emails from official accounts, the attackers obtained a list of all email accounts belonging to the State Department, Reuters reported.

As reported by, Microsoft revealed the breach in July 2023, explaining that threat actors breached Outlook accounts used by 25 organizations, including the US State and Commerce Departments, and other charges linked to these entities. The tech giant didn’t disclose the names of the impacted organizations and government entities.

The scope of the breach was disclosed at a Senate staff briefing on September 28, 2023. It was revealed at least 60,000 emails belonging to state department officials stationed in the Pacific, East Asia, and Europe were stolen. The compromised accounts mainly belonged to personnel focusing on Indo-Pacific diplomacy.

In a press briefing, State Department’s spokesperson Matthew Miller confirmed the data breach, explaining that “classified systems” weren’t hacked in that incident. Miller also added that the department is yet to make an attribution, but there’s no reason to doubt Microsoft’s attribution.

“Again, this was a hack of Microsoft systems that the State Department uncovered and notified Microsoft about,” Miller told reporters.

On the other hand, Senator Eric Schmitt said in his official statement that there’s a growing need to “harden” security defences against such intrusions in the future. Moreover, Schmitt believes that the federal government’s dependence on a single vendor should also be reviewed as this could be a weak link.

Microsoft has blamed the Chinese cyber-espionage group called Storm-0558 for the email breach. This group is known for infiltrating email systems of its targets to steal sensitive data.

According to a Microsoft representative, Storm-0558 accessed a Windows crash dump and obtained a consumer signing key, which could be used to compromise Exchange Online and Azure Active Directory accounts. The key was obtained by exploiting an already patched zero-day validation flaw that affected the GetAccessTokenForResourceAPI.

By exploiting this flaw, the attackers could create counterfeited signed access tokens and impersonate any account belonging to their target organizations. With this technique, Storm-0558 compromised the corporate account of a Microsoft engineer and managed to access the government email accounts.

Microsoft has revoked the stolen signing key and launched an investigation into the incident. The company has confirmed no further evidence of repeated unauthorized access to customer accounts using the same access token counterfeiting method.

Upon CISA’s insistence, Microsoft agreed to expand access to cloud logging data, which so far was only available to users having Purview Audit (Premium) logging licenses, free of charge so that network defenders can quickly identify breach attempts.

Mike Newman, CEO of My1Login, has commented on this incident, stating that this attack is crucial because hackers accessed sensitive government data from Outlook.

“Attackers appear to have accessed highly sensitive information in this breach by coupling together a number of attack vectors. These are complex and sophisticated techniques that signal Microsoft was facing a determined adversary that was highly motivated to carry out this attack.”

Newman further noted that encryption is the best defence against such incidents, and the workforce shouldn’t be allowed to access user credentials so that they cannot be lost or solved. Moreover, Microsoft shouldn’t have access to consumers’ private keys in the first place. 

“It should be mandatory for security that customer data (i.e. emails, stored credentials, documents) is encrypted using keys that are only known to the customer, meaning they cannot be accessed by the cloud software provider or an external, malicious actor.”

  1. Chinese Group Storm-0558 Hacked European Govt Emails
  2. Chinese APT Flax Typhoon uses legit tools for cyber espionage
  3. Chinese Hackers Stole Signing Key to Breach Outlook Accounts
  4. Chinese Hackers Using Stolen Ivacy VPN Certificate To Sign Malware
  5. Chinese APT Slid Fake Signal, Telegram Apps onto Official App Stores
Related Posts