A Chinese-based hacking group has breached Microsoft email accounts belonging to two dozen government agencies, including the State Department, in the United States and Western Europe, Microsoft Corp. and U.S. national security officials revealed late Tuesday.

The issue was discovered when U.S. cybersecurity experts reported to Microsoft a troubling vulnerability in the Microsoft 365 cloud environment on June 16 by detecting suspicious email activity.

“Officials immediately contacted Microsoft to find the source and vulnerability in their cloud service,” National Security Council spokesman Adam Hodges said in a statement to The Washington Post. “We continue to hold the procurement providers of the U.S. government to a high security threshold.”

After opening an investigation into the activity, Microsoft discovered that an attacker had infiltrated and accessed customer email customer accounts using Outlook Web Access a month earlier, beginning on May 15. The investigation revealed that the hackers, dubbed Storm-0558 by Microsoft, had broken into the accounts. This threat actor is known for primarily focusing on espionage, data theft and credential access.

The number of U.S. government accounts affected by the hack is currently believed to be limited, since the attack was targeted, although according to the Federal Bureau of Investigation, further analysis of the attack is ongoing. Aside from government email accounts, Microsoft believes that a small number of “related” consumer accounts may have also been affected, probably employees or contractors.

The attackers gained access to the Microsoft accounts through forged authentication tokens using an acquired Microsoft account consumer signing key, according to a blog post. That in turn provided the attackers an opening into Outlook Web Access in Exchange Online and Outlook.com.

Microsoft said that it has completely mitigated the attack by removing all access from the signing key and no further action is required. The company has also added new automated detection indicators for compromised systems associated with this type of attack and found no indications of further access.

The company said it’s continuing to work with relevant government agencies such as the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency to better protect those affected by this and future cybersecurity issues.

“The Senate Intelligence Committee is closely monitoring what appears to be a significant cybersecurity breach by Chinese intelligence,” said Senator Mark R. Warner, chairman of the Senate Select Committee on Intelligence. “It’s clear that the [People’s Republic of China] is steadily improving its cyber collection capabilities directed against the U.S. and our allies. Close coordination between the U.S. government and the private sector will be critical to countering this threat.”

This breach comes at a time when Microsoft and more government agencies have warned about the increasing sophistication and frequency of Chinese state-sponsored attacks that exploit vulnerabilities. Earlier this year, Microsoft warned that an alleged Chinese group was targeting critical infrastructure, and the U.S. government issued an advisory last month about state-sponsored hackers targeting known vulnerabilities.

“Unfortunately, Microsoft’s findings aren’t surprising, and this won’t be the last news-making story of this nature,” Dan Schiappa, chief product officer of cybersecurity firm Arctic Wolf Networks Inc., told SiliconANGLE. “In the security community, we’ve been warning of a surge in Chinese state-sponsored activity for a while now, as both the domestic and geopolitical tensions with China continue to rise. Chinese threat activity is not financially motivated, it is focused on spycraft, which lends itself to long-term, undetected attacks.”

This dovetails with Microsoft’s categorization of Storm-0558 as focused on espionage and data exfiltration, but Schiappa added that in the long term, Chinese state actors will likely aim for the ever-present problem of supply chain attacks. “For businesses with any government contracts or relationships with those that are involved with bleeding-edge technology research or military-grade operations, an unassuming third-party vendor could be the vehicle of intrusion and intelligence gathering,” he said.

Image: Pxfuel