How a cloud flaw gave Chinese spies a key to Microsoft’s kingdom

For most IT professionals, the move to the cloud has been a godsend. Instead of protecting your data yourself, let the security experts at Google or Microsoft protect it instead. But when a single stolen key can let hackers access cloud data from dozens of organizations, that trade-off starts to sound far more risky.

Late Tuesday evening, Microsoft revealed that a China-based hacker group, dubbed Storm-0558, had done exactly that. The group, which is focused on espionage against Western European governments, had accessed the cloud-based Outlook email systems of 25 organizations, including multiple government agencies.

Those targets encompass US government agencies including the State Department, according to CNN, though US officials are still working to determine the full scope and fallout of the breaches. An advisory from the US Cybersecurity and Infrastructure Security Agency says the breach, which was detected in mid-June by a US government agency, stole unclassified email data “from a small number of accounts.”

China has been relentlessly hacking Western networks for decades. But this latest attack uses a unique trick: Microsoft says hackers stole a cryptographic key that let them generate their own authentication “tokens”—strings of information meant to prove a user’s identity—giving them free rein across dozens of Microsoft customer accounts.

“We put trust in passports, and someone stole a passport-printing machine,” says Jake Williams, a former NSA hacker who now teaches at the Institute for Applied Network Security in Boston. “For a shop as large as Microsoft, with that many customers impacted—or who could have been impacted by this—it’s unprecedented.”

In web-based cloud systems, users’ browsers connect to a remote server and, when they enter credentials like a username and password, they’re given a bit of data, known as a token, from that server. The token serves as a kind of temporary identity card that lets users come and go as they please within a cloud environment while only occasionally reentering their credentials. To ensure that the token can’t be spoofed, it’s cryptographically signed with a unique string of data known as a certificate or key that the cloud service possesses, a kind of unforgeable stamp of authenticity.

Microsoft, in its blog post revealing the Chinese Outlook breaches, has described a kind of two-stage breakdown of that authentication system. First, hackers were somehow able to steal a key that Microsoft uses to sign tokens for consumer-grade users of its cloud services. Second, the hackers exploited a bug in Microsoft’s token validation system, which allowed them to sign consumer-grade tokens with the stolen key and then use them to instead access enterprise-grade systems. All of this occurred despite Microsoft’s attempt to check for signatures from different keys for those different grades of token.

Microsoft says it has now blocked all tokens that were signed with the stolen key and replaced the key with a new one, preventing the hackers from accessing victims’ systems. The company adds that it has also worked to improve the security of its “key management systems” since the theft occurred.

But exactly how such a sensitive key, allowing such broad access, could be stolen in the first place remains unknown. WIRED contacted Microsoft, but the company declined to comment further.

In the absence of more details from Microsoft, one theory of how the theft occurred is that the token-signing key wasn’t in fact stolen from Microsoft at all, according to Tal Skverer, who leads research at the security Astrix, which earlier this year uncovered a token security issue in Google’s cloud. In older setups of Outlook, the service is hosted and managed on a server owned by the customer rather than in Microsoft’s cloud. That might have allowed the hackers to steal the key from one of these “on-premises” setups on a customer’s network.