US State Department Breach: Chinese Hackers Steal Thousands of Emails

Chinese hackers executed a significant breach of security when they infiltrated Microsoft’s cloud-based Exchange email system in May 2023, resulting in the theft of tens of thousands of emails from U.S. State Department accounts.

During a recent Senate staff briefing, U.S. State Department officials disclosed that the attackers successfully accessed Outlook accounts belonging to State Department officials stationed in East Asia, the Pacific, and Europe. This breach led to the theft of at least 60,000 emails, as reported by Reuters.

In addition to the email theft, the hackers obtained a comprehensive list of email accounts within the State Department. Notably, the compromised accounts were primarily related to Indo-Pacific diplomatic efforts.

US State Department Breach Calls for Strengthening Cybersecurity

Senator Eric Schmitt emphasized the urgency of bolstering cybersecurity defenses against such cyberattacks. He also raised concerns about the federal government’s reliance on a single vendor, advocating for a thorough review to prevent potential vulnerabilities.

Microsoft publicly acknowledged the breach in July, revealing that threat actors breached Outlook accounts linked to approximately 25 organizations. These organizations included the U.S. State and Commerce Departments, along with certain consumer accounts.

National Security Council Response

The National Security Council confirmed the incident in July, clarifying that the attackers accessed unclassified systems. Their prompt action aimed to identify the source and vulnerability in Microsoft’s cloud service.

These cyberattacks have been attributed to a cyber-espionage group known as Storm-0558, with a focus on infiltrating email systems to obtain sensitive information.

US State Department Breach: Methodology

Microsoft detailed how the threat group initially obtained a consumer signing key and used it to compromise Exchange Online and Azure Active Directory accounts. They exploited a previously patched zero-day validation vulnerability to impersonate accounts within targeted organizations.

Microsoft’s Response and Cooperation

In response to the breach, Microsoft took action by revoking the stolen signing key and investigating potential unauthorized access. The company also committed to providing broader access to cloud logging data to enhance network defenders’ capabilities.

Criticism and Reform

Microsoft faced criticism for restricting access to cloud logging data. Under pressure from the Cybersecurity and Infrastructure Security Agency (CISA), the company agreed to broaden access to this critical information, addressing concerns about timely breach detection.