Chinese APT cracks Microsoft Outlook e-mails at 25 government agencies

This spring, a Chinese threat actor had access to email accounts across 25 government agencies in Western Europe and the US, including the State Department.

On July 11, Microsoft reported having quelled a cyberespionage campaign carried out by the group it tracks as “Storm-0558.” Storm-0558 is based in China and appears focused on espionage, primarily against Western government organizations.

Anonymous sources told CNN that the campaign affected the US State Department, as well as an entity on Capitol Hill (but whether the attackers were successful against the latter is less clear). The hackers honed in on “just a handful of officials’ email accounts at each agency in a hack aimed at specific officials,” CNN reported. It’s unclear what kind of sensitive information the adversaries were able to gain access to.

According to Microsoft’s profile of Storm-0558, it’s also known for its two custom malwares — Bling, and Cigril, a Trojan that encrypts files and runs them directly from system memory in order to evade detection.

In this instance, the group was able to forge authentication tokens to masquerade as authorized Azure Active Directory (AD) users, obtaining access to enterprise email accounts and the potentially sensitive information contained within.

“Chinese cyber espionage has come a long way from the smash-and-grab tactics many of us are familiar with,” said John Hultquist, Mandiant chief analyst with Google Cloud, in a written statement sent to Dark Reading. “They have transformed their capability from one that was dominated by broad, loud campaigns that were far easier to detect. They were brash before, but now they are clearly focused on stealth.”

To read the complete article, visit Dark Reading.