Unless you’ve been living under a rock, you’ve probably read or heard about the targeted attacks on US government email that used an access token generated by Microsoft to spoof allowed access. Called Storm-0558, it involved a China-based threat actor using an acquired Microsoft account consumer key to forge tokens to access OWA and Outlook.com, gaining access to sensitive email accounts. The attackers were discovered thanks to some smart outside investigators and some well-created log files that showcased that someone other than the parties authorized to access the accounts was opening these technology assets with unusual methods.
In other words (and in my interpretation of Microsoft’s reporting), rather than opening up email on a desktop client, what gave the attackers away was that they used some different and unusual means of opening the email. Merely not being normal triggered the investigation. Microsoft then found that a consumer-based account signing key was used to forge the necessary corporate credentials. Microsoft soon determined how the attackers acquired the key and what it found revealed that the intrusion might have been prevented with enough foresight (albeit only if you were very forward-thinking about the threat of determined attackers several years ago).
Bad actors may already lurk in your network
In April 2021, a consumer credential signing system suffered a blue screen of death, and the associated crash dump included the signing key information. While normally this credential signing system is on an isolated production network, at some point in time after April of 2021 it was moved to the corporate network to be debugged.
When an attacker compromised an engineer’s account to gain access to the network, the crash dump that included these sensitive keys was picked up by the attacker. When I read Microsoft’s writeup of what happened, it makes me wonder if — due to log-retention policies that do not go back as far as an event that happened years ago — the present explanation represents what it thinks happened, not what it knows with absolute certainty.
Without actual log files and forensic evidence to be certain, one ultimately must gather what information exists and infer what occurred. What’s clear is that attackers have started to lay in wait and are taking longer between gaining access and abusing it. Thus, the ability to identify when someone has gained access and make the decision to restore your network back to a point in time before the intrusion may become a physical as well as a technical impossibility.
While many organizations and companies do not operate in the same high-profile and target-rich environments as Microsoft and national governments, there are some valuable lessons and considerations for all CISOs in the way the Storm-0558 attacks played out.