Chinese state-linked hackers since May have secretly accessed email accounts at around 25 organizations, including at least two U.S. government agencies, Microsoft (MSFT.O) and U.S. officials said on Wednesday. Officials did not say which agencies were hacked. The hackers, reportedly seeking helpful information for the Chinese government, were discovered by the State Department in mid-June, just weeks before Secretary of State Antony Blinken was scheduled to visit Beijing. Officials said the breach did not include classified data. The hackers, whose identities are unknown, exploited a flaw in Microsoft Cloud security that allows authorized users to sign into their accounts with just an email address and password. They also reportedly used stolen user authentication tokens to impersonate authorized users. In a technical advisory and a call with reporters, the Department of Homeland Security and FBI said that an investigation is continuing while the breaches have been mitigated.
A blog post by Microsoft on Tuesday said the hack was the work of a group it identified as Storm-0558, which it said primarily targets organizations in Western Europe. Microsoft said the attackers had gained access to email data at the impacted organizations and consumer accounts associated with those organizations. The company said it had alerted the affected agencies but did not disclose their names.
The Department of Commerce was among the agencies hacked, and the email of Commerce Secretary Gina Raimondo was among those compromised. She is the only Cabinet-level official known to have been a victim, and her agency has imposed stiff export controls on technology that Beijing opposes.
In the call, a senior CISA official said that while the agency was able to prevent the hackers from accessing any of its data, it did not know how many accounts had been breached or what kind of information was taken. He added that the agency has notified those impacted and is monitoring its systems.
It is unclear how the hackers got into the email accounts, but a cybersecurity expert told CNBC they could access them by stealing a private certificate. The certificate, which is typically stored on a hardware device called a digital certificates authority, verifies the identity of an email sender and ensures the integrity of the message.
Reuters has contacted the telecommunications carrier that provides email services to the State and Commerce departments for comment. The carrier has yet to respond to requests for comment on Wednesday.
The White House detected a breach of federal government accounts “fairly rapidly” and managed to prevent further breaches, national security adviser Jake Sullivan said on Wednesday. He did not name the agencies hacked but said the government was working with Microsoft to protect its systems. The United States would take “appropriate measures to impose costs on the adversary,” he said. The U.S. does not attribute cyberattacks to specific nations or individuals, but if evidence emerges that a country is behind a particular attack, it would act accordingly, he added.