Microsoft-hosted government emails were compromised as a result of a Rube Goldberg series of errors.


    Microsoft revealed in the first half of July that the Chinese hacker group Storm-0558 had gotten access to emails from about 25 different companies, including US government institutions. Today, the company is outlining how that occurred as a result of a number of internal mistakes and emphasizing how grave a burden it is to maintain huge, expanding software infrastructure in a world that is becoming more and more digitally unsafe.

    Microsoft’s investigative report claims that Storm-0558 was successful in getting a “Microsoft account consumer key,” which enabled them to generate access tokens for their targets’ accounts, and used this information to access corporate and governmental email accounts.

    The key was retrieved by Storm-0558 after a series of incidents that resembled a Rube Goldberg machine placed the key in a location where it wasn’t supposed to be. The system didn’t properly strip the so-called “crash dump” of any sensitive information when it took a debugging snapshot of a process that had crashed, according to the company, leaving the key in.

    The “key material” in the crash dump should have still been picked up by Microsoft’s systems, but it appears that they weren’t able to. Engineers at the company transferred the dump, key and all, from the “isolated production network” to the debugging environment because they believed it was free of important data when they discovered it.

    Another fail-safe that should have detected the key as well—a credential scan—then failed to do so. The last barrier was broken when Storm-0558 was able to access a Microsoft engineer’s corporate account and gain access to the very debugging environment to which they were not entitled.

    Microsoft claims that although there are no logs that demonstrate this is how the key was removed from its systems, it is the “most probable” path the hackers took.

    One more surprise: despite being a consumer key, this one allowed threat actors to access Microsoft accounts for business accounts. According to Microsoft, the company started adopting standard key metadata publishing in 2018 in response to customer requests for support tools that could be used for both consumer and business accounts.

    The business added that support, but it neglected to make the necessary adjustments to the systems used to authenticate keys, in order to distinguish between consumer and enterprise keys. Engineers of the mail system, presuming the upgrades had been performed, did not include any further authentication, therefore the mail system was unaware of the type of key that had been used.

    In other words, even with all the other failure points, the Storm-0558 hackers might not have been able to access the business email accounts used by the companies they targeted if those libraries had been updated correctly.

    Microsoft claims to have fixed all of the aforementioned problems, including the glitch that initially supplied the signing key to the crash dump. In its post, the business also states that it is “continuously hardening systems.” Amit Yoran, CEO of Tenable, and Senator Ron Wyden (D-OR) have both dubbed Microsoft’s security procedures “negligent,” with Yoran accusing Microsoft of being too sluggish to address security problems.