For most IT professionals, moving to the cloud has been a godsend. Instead of protecting your data yourself, you can have it protected by the security experts at Google or Microsoft. But when a single stolen key can give hackers access to cloud data from dozens of organizations, that trade-off starts to sound much more risky.
Late Tuesday night, Microsoft revealed that a China-based hacker group called Storm-0558 had done just that. The group, which focuses on espionage against Western European governments, had access to the cloud-based Outlook email systems of 25 organizations, including several government agencies.
Those targets include U.S. government agencies, including the State Department, according to CNN, though U.S. officials are still working to determine the full scope and ramifications of the breaches. An advisory from the US Cybersecurity and Infrastructure Security Agency says the breach, discovered in mid-June by a US government agency, stole unclassified email data “from a small number of accounts”.
China has been hacking Western networks relentlessly for decades. But this latest attack uses a unique trick: Microsoft says hackers stole a cryptographic key that allows them to generate their own authentication “tokens” — strings of information meant to prove a user’s identity — giving them the free control dozens of Microsoft customer accounts.
“We relied on passports and someone stole a passport printing machine,” said Jake Williams, a former NSA hacker who now teaches at the Institute for Applied Network Security in Boston. “For a store the size of Microsoft, with so many customers affected – or who could be affected – it is unprecedented.”
In web-based cloud systems, users’ browsers connect to a remote server, and when they enter credentials such as a username and password, they get a piece of data, known as a token, from that server. The token serves as a kind of temporary identity card that allows users to come and go as they please within a cloud environment, while only occasionally re-entering their credentials. To ensure the token cannot be counterfeited, it is cryptographically signed with a unique string of data known as a certificate or key that the cloud service holds, a sort of tamper-proof stamp of authenticity.
Microsoft, in its blog post revealing the Chinese Outlook breaches, described a sort of two-stage breakdown of that authentication system. First, hackers were somehow able to steal a key that Microsoft uses to sign tokens for consumer-class users of its cloud services. Second, the hackers exploited a bug in Microsoft’s token validation system that allowed them to sign consumer-grade tokens with the stolen key and then use it to access enterprise-class systems. This all happened despite Microsoft’s attempt to check for different key signatures for those different types of tokens.
Microsoft says it has now blocked all tokens signed with the stolen key and replaced the key with a new one, preventing the hackers from accessing the victims’ systems. The company adds that it has also been working to improve the security of its “key management systems” since the theft.
But exactly how such a sensitive key, enabling such broad access, could be stolen in the first place remains unknown. WIRED reached out to Microsoft, but the company declined to comment further.
In the absence of more details from Microsoft, one theory as to how the theft occurred is that the token-signing key was not, in fact, stolen from Microsoft at all, according to Tal Skverer, who leads research at security Astrix, who discovered earlier this year a token security vulnerability in Google’s cloud. In older configurations of Outlook, the service is hosted and managed on a customer-owned server rather than in Microsoft’s cloud. This potentially allowed the hackers to steal the key to one of these “on-premises” settings on a customer’s network.