The cloud transition has largely been seen as a blessing for IT professionals, allowing experts at Google or Microsoft to handle data protection rather than having to do it themselves. However, when a single stolen key can grant hackers access to cloud data from many organizations, the trade-off begins to seem far more precarious.
Microsoft announced late on Tuesday that a China-based hacker group, Storm-0558, specializing in espionage against Western European governments, had managed to do just that. The group had breached the cloud-based Outlook email systems of 25 organizations, including several government agencies.
Among the victims were US government agencies, including the State Department, as reported by CNN, although US officials are still trying to assess the full extent and impact of the breaches. The US Cybersecurity and Infrastructure Security Agency disclosed that a US government agency detected the breach in mid-June and that unclassified email data was stolen “from a small number of accounts.”
China has been persistent in hacking Western networks for decades. However, this latest attack employed a unique trick. According to Microsoft, the hackers stole a cryptographic key that allowed them to create their own authentication “tokens”—pieces of information designed to validate a user’s identity. This gave them unrestricted access to many Microsoft customer accounts.
Jake Williams, a former NSA hacker who currently instructs at the Institute for Applied Network Security in Boston, analogizes, “We put trust in passports, and someone stole a passport-printing machine. For a company as large as Microsoft, with that many customers impacted—or who could have been impacted by this—it’s unprecedented.”
In web-based cloud systems, a user’s browser connects to a remote server, and upon entering credentials like a username and password, they receive a token from that server. The token acts like a temporary ID card, allowing users to navigate within a cloud environment, only needing to reenter their credentials occasionally. To prevent the token from being forged, it’s cryptographically signed with a unique data string, a certificate or key that the cloud service owns—an unforgeable stamp of authenticity.
Microsoft has described a two-stage collapse of that authentication system in its blog post about the Chinese Outlook breaches. First, the hackers somehow stole a key that Microsoft uses to sign tokens for consumer-grade users of its cloud services. Second, the hackers leveraged a bug in Microsoft’s token validation system, allowing them to sign consumer-grade tokens with the stolen key and then use them to access enterprise-grade systems. All this happened despite Microsoft’s checks for different key signatures for different token grades.
Microsoft assures that it has now blocked all tokens signed with the stolen key and replaced the key with a new one, effectively cutting off the hackers from victim systems. The company also claims to have upgraded the security of its “key management systems” since the theft took place.
However, the manner in which such a broad-access sensitive key was stolen remains a mystery. Microsoft declined to comment further when contacted by WIRED.
Without additional information from Microsoft, one theory, proposed by Tal Skverer, the research lead at security firm Astrix, suggests that the token-signing key wasn’t stolen from Microsoft at all. Instead, in older Outlook setups, the service is hosted and managed on a customer-owned server rather than in Microsoft’s cloud. This might have enabled the hackers to steal the key from one of these “on-premises” setups on a customer’s network.
Skverer suggests that the hackers might have exploited the bug that let the key sign enterprise tokens, gaining access to an Outlook cloud instance shared by all the 25 organizations affected by the attack. He postulates, “My best guess is that they started from a single server that belonged to one of these organizations, made the jump to the cloud by abusing this validation error, and then they got access to more organizations that are sharing the same cloud Outlook instance.”
However, this theory doesn’t explain why a Microsoft service inside an enterprise network would use a key intended for signing consumer account tokens. It also doesn’t explain why so many organizations, including US government agencies, would all share one Outlook cloud instance.
An alternative and more worrying theory suggests that the hackers stole the token-signing key from Microsoft’s own network, tricked the company into issuing a new key to the hackers, or even reproduced it by exploiting mistakes in the cryptographic process that created it. In combination with the token validation bug Microsoft describes, it could have been used to sign tokens for any Outlook cloud account—a master key for a large chunk, or even all, of Microsoft’s cloud.
Robert “RSnake” Hansen, a renowned web security researcher, interprets Microsoft’s statement about enhancing the security of its “key management systems” as an indication that Microsoft’s “certificate authority”—its system for generating keys for cryptographically signing tokens—was possibly compromised by the Chinese spies. “It’s very likely there was either a flaw in the infrastructure or configuration of Microsoft’s certificate authority that led an existing certificate to be compromised or a new certificate to be created,” Hansen suggests.
If the hackers did indeed steal a signing key that could be broadly used to forge tokens across consumer accounts, and, due to Microsoft’s token validation issue, on enterprise accounts too, the number of victims could far surpass the 25 organizations Microsoft has publicly acknowledged, warns Williams.
Williams argues, “On the consumer side, how would you know? Microsoft hasn’t discussed that, and I think there’s a lot more transparency that we should expect.”
This recent revelation isn’t the first instance of state-sponsored hackers exploiting tokens to breach targets or extend their reach. The Russian hackers responsible for the infamous Solar Winds supply chain attack also pilfered Microsoft Outlook tokens from victims’ machines that could be used elsewhere on the network to maintain and expand their access to sensitive systems.
These incidents highlight the real-world risks involved in migrating to the cloud for IT administrators. While Microsoft and much of the cybersecurity industry have advocated for the transition to cloud-based systems to entrust security to tech giants rather than smaller companies, centralized systems can have their own vulnerabilities—with potentially massive repercussions.
Williams comments, “You’re handing over the keys to the kingdom to Microsoft. If your organization is not comfortable with that now, you don’t have good options.”