Skip to content
Chain of Rube Goldberg failures led to Microsoft-hosted government email breach

During the first half of July, Microsoft revealed that the Chinese hacker group Storm-0558 had accessed the emails of around 25 organizations, including US government agencies. Today, the company explains how it happened through a series of internal errors, while clearly emphasizing how much of a responsibility it is to maintain a massive and growing software infrastructure in an increasingly digitally precarious.

According to Microsoft’s investigation summary, Storm-0558 was able to access corporate and government emails by obtaining a “Microsoft Account Customer Key”, which allowed them to create access tokens for accounts of their targets.

Storm-0558 obtained the key after a series of Rube Goldberg machine-like events placed the key somewhere it never should have been in the first place. The company writes that when the system created a debug snapshot of a process that crashed, it did not remove, as it should have done, the so-called “crash dump” of all information. sensitive, leaving the key in place.

Microsoft’s systems should have picked up the “key items” in the crash dump anyway, but apparently they didn’t. So when company engineers discovered the dump, they assumed it contained no sensitive data and moved it, along with the key and all, from the “isolated production network” to the debug environment. of the company.

Then another failsafe – a credential scan that should also have detected the key – failed to find that the key was there. The final gate fell when Storm-0558 successfully compromised a Microsoft engineer’s corporate account, giving hackers access to the debugging environment they never should have had the key to in the first place.

Microsoft writes that it has no logs proving this is how the key was extracted from its systems, but says it is “most likely”. route taken by the pirates.

There is one last thing: it was a consumer key, but it allows threat actors to access company Microsoft accounts. Microsoft says it started using common key metadata publishing in 2018 in response to demand for support software that works for both consumer and enterprise accounts.

The company has added this support, but it has failed to make appropriate updates to the systems used to authenticate the keys, i.e. to determine if they are consumer keys or business. The mail system engineers, assuming the updates had been made, did not incorporate any additional authentication, leaving the mail system blind to the type of key used.

In short, had these libraries been properly updated, even though all other points of failureStorm-0558 hackers might not have been able to access corporate email accounts used by the companies they were targeting.

Microsoft claims to have fixed all of the above issues, including the error that sent the signing key to the crash dump in the first place. The company adds in its message that it is “continuously strengthening systems”. Microsoft has come under increasing criticism for its security practices, which Sen. Ron Wyden (D-OR) and Tenable CEO Amit Yoran have called “negligent,” with Yoran accusing Microsoft of being too slow to respond to its security vulnerabilities.