Much uncertainty remains over the matter after Chinese hackers used a stolen Microsoft key to spy on various Western government services. The impact could be greater than indicated.

Last week it became known that Chinese hackers from the Storm-0558 collective were able to read the mail traffic of 25 Western organizations. The purpose of the attack was espionage. The hackers managed to break in using fake digital keys. Forging such a key on behalf of Microsoft is only possible with an original private MSA key from Microsoft itself. The attackers had captured such a sensitive key.

After the hack, Microsoft blocked the key and rendered all fake keys worthless. In this way, it is theoretically impossible for the hackers to break into other companies. The original victims are also basically safe again. However, much is still unclear.

Where does the key come from?

The main question is the origin of the MSA key. This data is extremely sensitive and in the wrong hands can be very damaging, as Storm-0558 has shown. Microsoft doesn’t say what went wrong with the security of the critical key.

Researchers from Whiz Research also claim that the key opened more doors than originally thought. Although the attackers appeared to only penetrate Outlook.com and Exchange Online, they were also able to use the MSA key to open the door to other services. Various Azure Active Directory applications such as SharePoint, Teams, OneDrive and even enterprise applications that can be accessed via Sign in to Microsoft were at risk, according to the researchers.

Limited logs

Additionally, although the acute risk has passed, Whiz notes that it is very difficult for organizations to determine if they have been the victim of espionage. This is because there are no detailed access token verification logs. Under pressure from the US government, Microsoft will share more logs with users without charging them extra. It’s kind of a reflex, since the logs for the hack were only available as part of a paid formula.

Blocking the key also renders the attack vector useless, but Whiz correctly points out that hackers could install vulnerabilities in victims. Without clear logs or indicators of problems, it is not so easy to immediately investigate whether something like this happened.

speculation

For its part, Microsoft notes that whiz people rely mostly on speculation rather than proven facts. The company states that the Indicators of compromise on its own blogs are accurate and sufficient to detect abuse.

If we also speculate a bit, we would assume that the researchers at Whiz uncover a possible scenario that in this case probably didn’t happen. This is more due to the targeted actions of the hackers who spied on purpose than to actions by Microsoft itself. Storm-0558 had a possible runner to the Azure kingdom with the MSA key.