U.S. Government Emails Hacked in Chinese Espionage Campaign

Microsoft has confirmed that China-based hackers have breached various parts of Microsoft’s Azure cloud email systems used by over 25 organizations, including the U.S. government. The company is tracking the threat group as Storm-0558. The hackers appear to have targeted specific U.S. organizations and government agencies that operate on “sensitive” but unclassified government networks. After breaching individual email accounts, the hackers gained persistent access for data exfiltration and espionage purposes.

The breach began May 15 and remained undetected until June 16, Microsoft announced in a report.

Chinese hackers used forged authentication tokens on Microsoft Azure

In the report, Microsoft states that the hacks into all affected organizations and agencies email systems on Azure cloud used forged authentication tokens. The tokens are used to access user email using an acquired Microsoft account (MSA) consumer signing key.

Microsoft stresses that they have completed mitigation of this attack vector for all customers.

Hack remains limited but highly targeted Chinese espionage campaign

Adam Hodge, spokesperson for the White House National Security Council commented that the attacks against U.S. agencies and organizations affected “unclassified systems.”

Unclassified government networks do not contain any classified national security data, or controlled unclassified information (CUI), such as personally identifiable information (PII), according to NIST.

Cyber investigators within the Biden administration are still attempting to determine the potential severity of the hacking campaign. The attack at first review appears far narrower and more targeted than the Russian-backed hack of SolarWinds in 2020 to breach federal and corporate networks globally.

China has been accused of and caught in cyber espionage campaigns for years. In May 2024, a Chinese government hacking group was caught deploying malware in critical infrastructure in Guam. The attack was seen as a foreshadowing of possible cyber offensive campaigns by China against Taiwan.