China-based hackers have broken into the email accounts of around 25 organisations, including US government agencies, Microsoft reports.

At least two major US government agencies have suffered email breaches after tech giant Microsoft announced a threat actor used a flaw in the company’s code to illegitimately access customer email accounts.

The threat actor – tracked as Storm-0558 – is described as a China-based actor with espionage objectives, and while Microsoft reports the attack is now mitigated, hacks went undetected for over a month.

“Microsoft has mitigated an attack by a China-based threat actor Microsoft tracks as Storm-0558 which targeted customer emails,” said Microsoft.

“Beginning May 15, 2023, Storm-0558 used forged authentication tokens to access user email from approximately 25 organisations, including government agencies and related consumer accounts in the public cloud.”

It wasn't until 16 June (US time) when a customer notified Microsoft of “anomalous Exchange Online data access” that Microsoft identified the malicious campaign.

Among the victims of the attack are the US State Department and Commerce Department, both of which have confirmed email accounts in their agencies were breached.

While neither agency confirmed how many individuals were affected by the attack, Secretary of Commerce Gina Raimondo, a Cabinet-level official, is one of the victims who had their email account breached during the incident.

“Microsoft notified the Department of a compromise to Microsoft's Office 365 system, and the Department took immediate action to respond,” a US Department of Commerce spokesperson told the BBC.

“We are monitoring our systems and will respond promptly should any further activity be detected,” they added.

Microsoft said “approximately” 25 organisations were affected by the string of email account breaches, but did not expressly identify who they are.

According to Microsoft, the China-based threat actor Storm-0558 primarily targets government agencies in Western Europe, focusing on espionage, data theft and maliciously accessing credentials.

“As with any observed nation-state actor activity, Microsoft has contacted all targeted or compromised organisations directly via their tenant admins and provided them with important information to help them investigate and respond,” said Microsoft.

According to Reuters, China's embassy in London has responded with fervent denial, labelling Microsoft's accusations “disinformation” and calling the US government “the world's biggest hacking empire and global cyber thief”.

The response is typical for alleged China-based hacking operations, which seldom see confirmation in a public forum.

How did the hackers gain access?

The attack, which went undetected for over a month, was carried out using a sophisticated combination of forgery and exploitation.

Microsoft described the hackers as having forged Azure Active Directory tokens to access customer data on Microsoft's proprietary email hosting service Exchange Online.

While the company initially thought the threat actor was stealing “correctly issued” tokens via malware or other methods, further investigation revealed a “validation error” in Microsoft's code was to blame.

By leveraging a flaw in Microsoft’s code, hackers were able to misappropriate one of Microsoft’s digital keys in order to forge authentication tokens and ultimately launch their purported cyber espionage campaign – cracking into the email accounts of both government agencies and related consumer accounts in the public cloud.

The company further reports it has completed mitigation of this attack for all customers.

“Our telemetry indicates that we have successfully blocked Storm-0558 from accessing customer email using forged authentication tokens,” said Microsoft.

“No customer action is required.”

Microsoft is continuing to monitor and investigate Storm-0558 activity, and has further partnered with US federal cyber security watchdog the Cyber Security and Infrastructure Security Agency to “protect affected customers”.