Crash Dump Snapshot Included Active Signing Key
Chinese hackers were able to access the email accounts of senior U.S. officials after Microsoft included an active digital signing key in a snapshot of data taken to analyze a crash of its consumer signing system in April 2021.
Inclusion of the key in the crash dump was just one of many mishaps leading to a China-based espionage hacking group Microsoft tracks as Storm-0558 gaining access to email accounts tied to 25 different organizations, including the U.S. Departments of State and Commerce (see: Hackers Stole Signing Key, Hit US Government’s Microsoft 365).
Microsoft detailed the chain of events leading to the hack in a Wednesday blog post. The email hacks started May 15 and went undetected for a month, coinciding with a European Parliament meeting on China policy and U.S. diplomatic trips to China. Tensions between the U.S. and China are mounting amid concern over Chinese aggression in the South China Sea and American steps to restrict Beijing’s access to advanced technology (see: US Restricts Investment in Chinese AI, Other Technologies).
The computing giant has previously acknowledged that the Chinese hackers were able to create their own authentication tokens to access cloud-based Outlook email accounts using a digital key from Microsoft’s signing system.
The crash dump contained the unredacted singing key due to a flaw that occurs when multiple computer instructions “race” to access or modify shared data simultaneously.
Consistent with standard debugging procedure, Microsoft moved the crash dump data from an isolated production environment – where the crash occurred – to the internet-connected corporate network. A scan meant to detect credentials did not spot the signing key. Chinese hackers apparently did better than automated scanning when they broke into a Microsoft’s engineer’s corporate account and sifted through the crash dump data.
At least, that’s what Microsoft thinks occurred: “Due to log retention policies, we don’t have logs with specific evidence of this exfiltration by this actor, but this was the most probable mechanism by which the actor acquired the key,” it wrote.
The stolen signing key was for Microsoft consumer applications, but hackers used it to gain access to enterprise email. That’s because a key metadata publishing endpoint for consumer and enterprise applications did not automatically validate key scope, the company says. A hacker could use a consumer key to generate authentication tokens for enterprise applications.
U.S. federal cyber defenders spotted the hacking after examining log data. Microsoft in July said it will expand customer access to logs, a decision reached after consulting with the Cybersecurity and Infrastructure Security Agency. “Asking organizations to pay more for necessary logging is a recipe for inadequate visibility into investigating cybersecurity incidents and may allow adversaries to have dangerous levels of success in targeting American organizations,” said Eric Goldstein, executive assistant director for cybersecurity (see: Microsoft Expands Logging Access After Chinese Hack Blowback).
In August, the Department of Homeland Security – of which CISA is a component – announced that the DHS-led Cyber Safety Review Board will review the Microsoft email hacking incident and cloud-based identity and authentication infrastructure in general.