Microsoft reveals 2021 crash dump led to US State Department hacks

Microsoft logo seen through a gap in a red metal bridge
(Image credit: Getty Images)

Microsoft has revealed that a 2021 consumer signing system crash dump inadvertently led to Chinese-backed hackers waging an attack on the US State Department and a host of global businesses. 

A threat actor group known as Storm-0558 was identified as the culprit for the July hacking campaign, which resulted in the exposure of State Department officials’ email communications.

A compromised engineer’s corporate account is said to have given hackers access to Outlook and critical company systems, according to details from Microsoft’s long-awaited post-mortem of the incident.

“China-Based threat actor, Storm-0558, used an acquired Microsoft account (MSA) consumer key to forge tokens to access OWA and Outlook.com,” the firm said in a blog post.

“Upon identifying that the threat actor had acquired the consumer key, Microsoft performed a comprehensive technical investigation into the acquisition of the Microsoft account consumer signing key, including how it was used to access enterprise email.”

Microsoft’s investigation revealed the compromised corporate account enabled attackers to gain access to a debugging environment containing information on a crash of a consumer signing system dated to April 2021.

Ordinarily, ‘crash dumps’ redact sensitive information, such as signing keys, Microsoft said. However, a race condition bug meant that a signing key was present in the crash dump.

This dump was subsequently moved from an isolated production network to a debugging environment, meaning hackers were able to access the key’s materials.

“After April 2021, when the key was leaked to the corporate environment in the crash dump, the Storm-0558 actor was able to successfully compromise a Microsoft engineer’s corporate account,” Microsoft said.

“This account had access to the debugging environment containing the crash dump which incorrectly contained the key.”

Attackers then used the stolen MSA key to successfully breach Exchange Online and the Azure Active Directory (AD) accounts of more than 20 organizations globally.

A host of US government agencies, including the State Department and Commerce Department, were affected by the breach.

The incident underlines the potential knock-on effect of security mishaps elsewhere in Microsoft’s ecosystem, which the threat actor group exploited to devastating effect.

Microsoft under fire

Microsoft was subject to intense criticism in the wake of the July hacking campaign, with industry stakeholders and lawmakers alike criticizing its response to the incident.

RELATED RESOURCE

Whitepaper cover with title over purple shaded image of female worker peering over the top of an office cubicle

(Image credit: Mimecast)

Do you use Microsoft 365? Mitigate risks and close the potential gaps in your email security.

DOWNLOAD FOR FREE

Tenable CEO Amit Yoran accused the tech giant of “negligent practices” for its response to security vulnerabilities in recent years, specifically highlighting the espionage campaign in a public broadside against the firm.

“Microsoft’s lack of transparency applies to breaches, irresponsible security practices, and to vulnerabilities, all of which expose their customers to risks they are deliberately kept in the dark about,” Yoran said at the time.

Yoran’s critique followed calls from US Senator Ron Wyden for an investigation into Microsoft’s security practices, with Wyden also describing the firm as “negligent”.

This intense pressure prompted Microsoft to issue a rare public rebuttal to the criticism from Yoran and lawmakers in early August.

The tech giant strongly denied claims of negligence and insisted it had not left customers “in the dark” during its response to vulnerabilities and security incidents.

Ross Kelly
News and Analysis Editor

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.

He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.

For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.