An unnamed Federal Civilian Executive Branch (FCEB) agency in the U.S. detected anomalous email activity in mid-June 2023, leading to Microsoft's discovery of a new China-linked espionage campaign targeting two dozen organizations.
The details come from a joint cybersecurity advisory released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) on July 12, 2023.
"In June 2023, a Federal Civilian Executive Branch (FCEB) agency identified suspicious activity in their Microsoft 365 (M365) cloud environment," the authorities said. "Microsoft determined that advanced persistent threat (APT) actors accessed and exfiltrated unclassified Exchange Online Outlook data."
While the name of the government agency was not revealed, CNN and the Washington Post reported it was the U.S. State Department, citing people familiar with the matter. Also targeted were the Commerce Department as well as the email accounts belonging to a congressional staffer, a U.S. human rights advocate, and U.S. think tanks. The number of affected organizations in the U.S. is estimated to be in the single digits.
The disclosure comes a day after the tech giant attributed the campaign to an emerging "China-based threat actor" it tracks under the name Storm-0558, which primarily targets government agencies in Western Europe and focuses on espionage and data theft. Evidence gathered so far shows that the malicious activity began a month earlier before it was detected.
China, however, has rejected accusations it was behind the hacking incident, calling the U.S. "the world's biggest hacking empire and global cyber thief" and that it's "high time that the U.S. explained its cyber attack activities and stopped spreading disinformation to deflect public attention."
The attack chain entailed the cyberspies leveraging forged authentication tokens to gain access to customer email accounts using Outlook Web Access in Exchange Online (OWA) and Outlook.com. The tokens were forged using an acquired Microsoft account (MSA) consumer signing key. The exact method by which the key was secured remains unclear.
Also used by Storm-0558 to facilitate credential access are two custom malware tools named Bling and Cigril, the latter of which has been characterized as a trojan that decrypts encrypted files and runs them directly from system memory in order to avoid detection.
CISA said the FCEB agency was able to identify the breach by leveraging enhanced logging in Microsoft Purview Audit, specifically using the MailItemsAccessed mailbox-auditing action.
The agency is further recommending that organizations enable Purview Audit (Premium) logging, turn on Microsoft 365 Unified Audit Logging (UAL), and ensure logs are searchable by operators to allow hunting for this kind of activity and differentiate it from expected behavior within the environment.
"Organizations are encouraged to look for outliers and become familiar with baseline patterns to better understand abnormal versus normal traffic," CISA and FBI added.