Microsoft Corp. has revealed that alleged Chinese hackers who breached email accounts belonging to U.S. government agencies, including the State Department, earlier this year did so by compromising the account of a Microsoft engineer.

The details were revealed in a post-mortem published today by the Microsoft Security Response Center, which did a deep dive into what the hacking entailed. The hacking group, tracked as Storm-0558 by Microsoft, acquired a Microsoft account consumer key to forge tokens to access Outlook on the web and Outlook.com.

Exactly how the consumer key was obtained is what makes the story interesting. Microsoft’s investigation found that a consumer signing system crash in April of 2021 resulted in a snapshot of the crashed process. The crash dumps are not meant to include the signing key, but in this case, a “race condition” allowed the key to be present in the crash dump.

The crash dump, which contained the key — Microsoft being unaware that it was there — was moved from an isolated production network into Microsoft’s debugging environment on its internet-connected corporate network. Although placing the dump there is part of Microsoft’s standard debugging process, the key was also exposed in the process and subsequently stolen by Storm-0558.

Using the exposed key, the threat actors then successfully compromised a Microsoft engineer’s corporate account. The hackers, at this point, may have been rubbing their hands with glee as that account access then led them to be able to gain access to emails from the State Department, among other arms of the U.S. government.

Exactly who and how many U.S. government agencies and departments had their emails compromised has never been fully revealed, but alongside the State Department, the Commerce Department has also been mentioned as having been compromised as well.

As part of its post-incident review process, Microsoft said that it has been continuously hardening systems as part of its defense-in-depth strategy. Investments have also been made relating to MSA key management.

To ensure that the same thing doesn’t happen again, Microsoft has identified and resolved the race condition that led to the signing key being present in crash dumps. Enhanced prevention, detection and response for key material is now in place for crash dumps.

Microsoft has implemented enhanced credential scanning to do a better job of detecting the presence of signing keys in the debugging environment and released enhanced libraries to automate key scope validation in authentication libraries.

Image: Bing Image Creator