SANTA CLARA,CA/USA – FEBRUARY 1, 2014: Microsoft corporate building in Santa Clara, California. Microsoft is a multinational corporation that develops, supports and sells computer software and services.

In a significant data breach, Chinese state-linked hackers accessed nearly 25 email accounts – which includes that of US government agencies (including the State Department) – via a flaw in Microsoft’s cloud email service. Both Microsoft and US officials confirmed the development.

“Last month, U.S. government safeguards identified an intrusion in Microsoft’s cloud security, which affected unclassified systems,” Adam Hodge, a spokesperson for the White House’s National Security Council, said in a statement. “Officials immediately contacted Microsoft to find the source and vulnerability in their cloud service. We continue to hold the procurement providers of the U.S. government to a high security threshold.”

The cybersecurity incident enabled the threat actors – tracked as Storm-0558 – to access the email accounts of several officials of the US government, including that of Commerce Secretary Gina Raimondo. The others who have been affected by the major security breach include consumer accounts linked to individuals associated with these organizations, Microsoft says. In response, the Chinese embassy in London called the accusation “disinformation,” and went on to call the US government “the world’s biggest hacking empire and global cyber thief.”

This significant breach raises concerns regarding the protection of national security, particularly in an era when digital infrastructure plays a critical role in government operations. Cyberattacks on government agencies can compromise confidential information, disrupt operations, and undermine trust in the government’s ability to safeguard sensitive data. It also underscores the need for robust cybersecurity measures to protect critical government infrastructure and safeguard national interests, as well as to prevent incidents such as identity theft, espionage, and other malicious activities such as the disruption of normal government operations.

According to reports, the threat actors repeatedly manipulated credentials to access the email accounts even after the tech titan started to investigate unusual activity within a few weeks of the initial attack. A spokesperson for the State Department added that it “detected anomalous activity” and “took immediate steps to secure our systems,” and alerted Microsoft to the breach. According to an advisory issued by US cybersecurity agency CISA, the thread actors accessed unclassified email data in what the FBI describes as a “targeted campaign.”

Charles Carmakal, CTO and VP at Google Cloud, described the method of the cyberattack as “a very advanced technique,” one that was used by Storm-0558 “against a limited number of high value targets. Each time the technique was used, it increased the chances of the threat actor getting caught. Kudos to Microsoft for leaning in, figuring this out, remediating, collaborating with partners and being transparent.”

As per Microsoft’s investigation, the threat actors accessed the email accounts by using Outlook Web Access in Exchange Online (OWA) and and forged authentication tokens to impersonate Azure AD users and access the same. Once the company was notified, it completed mitigation of this attack for all customers and successfully blocked Storm-0558 from accessing customer email accounts using the forged authentication tokens. The tech giant added that it went on to replace the key to prevent Storm-0558 using it to forge tokens as well.