Strategic Context: In light of the Microsoft breach disclosed this week, which enabled the Chinese affiliated threat actor known as Storm-0558 (believed to be a Ministry of State Security contractor) to compromise several US government accounts, it’s important to explore how it was discovered, its impact, and how to reduce risk stemming from cloud providers. Using a stolen consumer signing key, attackers were able to access the mailboxes of targeted US government employees.

• The attack was discovered relatively quickly by State Department defenders, with reports indicating that the attackers gained access in May 2023. This is much faster than how long the SVR dwelled in Federal networks in the SolarWinds campaign.

• In all, the impact to the US Government seems to be fairly limited, with reports of only three organizations affected: State Department, Commerce Department, and accounts associated with the U.S. House of Representatives. Of particular note, however, are recent reports that Commerce Secretary Gina Raimondo’s unclassified account was targeted.

• While the hack was in keeping with espionage norms, the nature and apparent method of the intrusion indicate the global impact may be much larger than what we’ve seen just yet.

What C-Suites Need to Know: As this news breaks, the question C-Suites must answer is “Were you at risk?”. In the case of Microsoft’s disclosure this week, the answer to all Azure customers was, unfortunately, “yes”. From a threat model perspective, however, it is unlikely you were specifically targeted.

Based on our understanding, the Chinese actor's access to the signing key and validation issue potentially gave the actor access to any Microsoft cloud email account anywhere. However, as far as we can tell right now, the actor's targeting set was fairly narrowly focused on economic/diplomatic personas, particularly those organizations addressing issues on trade, sanctions, and human rights abuse in China.

• That's cold comfort though, as the existence of such a hugely impactful flaw in Microsoft's cloud systems (after a previous token generation issue was exploited by the Russian SVR in 2020-21) should concern everyone, especially as we increasingly shift IT operations and services to third-party cloud providers like Microsoft.

So if your fate is seemingly in the hands of others, what can you do?  

Defenders had the ability to look back and detect anomalous activity because the US Department of State has the capabilities of Microsoft’s 365 E5 license with additional restrictions for government (G5). This licensing model, while more expensive, enables more than 90 days of log retention, with a configurable maximum of 10 years.

We recommend everyone get the E5/G5 license that allows for enhanced log retention and reporting (we understand this might be cost prohibitive for some organizations). With this expanded historical data set, you can enable your defenders to start searching for anomalous activity. Here, it's critical to have a baseline understanding of your network to separate the signal from the noise.

• In the State Department's case, they alerted on the fact that access to these specific mail items came from a previously unseen application. So when the Chinese actors accessed mail items and exfiltrated them, the logs indicated an anomalous departure from the baseline application usage.

• Once detected, solid information sharing processes and practices allowed the Department of State to be the first to notify CISA and Microsoft of this critical issue. This incident emphasizes the importance of implementing an internal threat hunting program and generally taking a proactive approach to securing cloud resources and services.

As a result of these events KSG expects a larger global impact, including discussions around the availability and retention of logs offered by major cloud providers. As the trend across both government and business continues to be a steady push to the cloud, these incidents reveal a more critical need to retain logs from these services, actively monitor them, and establish baselines.

• Processes must be in place that enable defenders to review, investigate, and analyze activity over time, with data science tools to detect statistical outliers in data sets. Open source and well-documented frameworks can help defenders establish activity baselines and trigger reviews on anomalies to that baseline.

The opaque nature of Microsoft and other cloud providers’ services means that everyone other than the providers’ internal offensive security teams are left to determine the vulnerabilities in closed systems.

• This episode makes it clear that nation states are willing and able to dedicate the resources necessary to find chinks in the armor around these opaque systems and that defenders and cloud providers remain a step behind them.

If there is one thing to be learned from this incident, it’s that businesses and governments cannot solely rely on cloud providers to secure cloud environments on their behalf. Monitoring the environment is key and it begins with having the necessary data available and the necessary staff to monitor it. Managing third-party risk from cloud providers like Microsoft will continue to require a proactive, continuous approach.

What went well…

Information sharing processes between government and industry seem to have worked, allowing State to flag this hack to Microsoft and CISA. It’s also noteworthy that State was able to discover the anomalous behavior, as the Department (a constant target of foreign spies) has been considered easy pickings over the last decade or more. A concerted effort to improve defenses over the years enabled a defensive success. The detection was likely enabled by State having Microsoft G5/E5 licenses, which are more expensive but retain logs, thus allowing for forensic investigations (the higher cost of E5 is a separate issue that has rankled many in Congress and in the Administration).

What concerns us…

The lack of details provided by Microsoft that describe the events that led to this intrusion leave customers and defenders with more questions than answers:

1. When did the hackers get the signing key?

2. How did they steal the key?

3. Did they steal any other keys?

4. Was any of the malicious key activity detected?

Lots of really uncomfortable questions and likely awkward answers (including, "we don't know?").

The stakes couldn't be higher as the US government and every business we know is accelerating to the cloud, and cloud providers are staking their futures on their cloud business units. The USG and these firms are tied together at the hip.

At the same time, the cyber defense responsibility matrix isn't like the old days of on-prem enterprise software where the “good guys” were able to help software vendors "red team" their products to spot flaws and improve. Now, the walled garden/closed ecosystem of large cloud systems/products is leaving a whole host of experts on the outside looking in. Yes, the big tech firms invest in their own security, but the asymmetric advantage the bad guys have is increasing:

• The bad guys look at the volume of data going to a small set of cloud providers and see nothing but concentrated opportunity. As a result, China, Russia, and others are dedicating entire teams to actively attack cloud systems on a daily basis.

• China is also using their system of laws to compel disclosure of software vulnerabilities, and using bug hunting competitions to incentivize domestic security pros to boost the state’s efforts. The payoff is clear, as evidenced by this Microsoft-based compromise: Finding a critical flaw in a cloud system (like the ability to mint one’s own tokens) is a ticket can unlock a wide set of accesses.

Where do we go from here…

First, we need to figure out a more transparent system that allows customers, regulators, and national security officials to gain confidence in cloud providers. Today's voluntary approach may have outlasted its usefulness:

• There's a call for regulating the cloud in the recent National Cybersecurity Strategy, combined with a harder look at software liability. The National Cyber Strategy Implementation Plan should keep those discussions moving forward, tasking the Department of Commerce to work on a regulation laying out requirements and standards to curb adversarial abuse of infrastructure-as-a-service, as well as convening legal and academic experts to develop a software liability framework that could draw on existing regulation where possible and propose new legislation if needed.

In the meantime, Congress should continue to examine the policy and legislative issues sprouting from current and emerging technologies like cloud computing and Generative Artificial Intelligence. While it’s not clear what will materialize out of this or the next Congress, the pace of discussions is picking up.

• Unfortunately, regulation and the legislative process take time, and time is not on our side. While regulatory action might be inevitable, hasty legislation written in haste and poorly considered implementation often misfires.

In the meantime, orgs must keep up the fight, with one hand tied behind their backs and partly blindfolded. And we all must keep hunting for the bad guys, just like the State Department did. We can do this.

For more information or assistance on these issues, please reach out to intel@ks.group.

Forwarded this ExecBrief by a friend? Click below to sign up for our weekly dispatch.

Global Scan

Geopolitics

1. Germany Unveils First-Ever China Strategy: Berlin seeks to thread the needle between de-risking and sustaining its extensive economic ties to China, calling for new export controls and outbound investment screening for sensitive technologies.

2. Can Germany Remain Europe’s Economic Engine?: High energy costs, labor shortages and regulatory hurdles are driving many of Germany’s biggest companies to North America and Asia—while new orders and foreign investment numbers keep falling.

Cybersecurity

1. Microsoft Breach a New Level of Sophistication in Chinese Cyber Espionage: Spies were able to manipulate the company’s cryptographic authentication protocols to gain access to the emails of at least 25 organizations – including the US Commerce Department – alarming threat analysts.

2. Ransomware Payments Spike after Brief Dip in 2022: Syndicates displaced or disoriented by the war in Ukraine appear to have bounced back, with payments estimated to reach $900 million in 2023.

3. CISA Issues Alert on Commonly Used Rockwell Automation Software: Officials warned of “destructive consequences” for industrial control systems if patches were not applied to a range of Allen-Bradley ControlLogix communication modules—often used in water, energy, transport, and other infrastructure.

Strategic and Emerging Technology

1. US-based Anthropic Unveils ChatGPT Competitor, Claude 2: The chatbot, which the company touts as being trained on more “principled” privacy and other human-rights rules than its competitors, is now available to US and UK users.

2. Speed of Energy Transition Slowed by Critical Materials Bottlenecks: An international body on renewables issued a report this week assessing that the concentration of mining and refining in the hands of a few companies and countries will subject markets to potential shocks, despite no scarcity of mineral reserves across the globe.

3. Cryopreservation Breakthroughs Transforming Medicine: Recent successful demonstrations of organ storage at deep temperatures—and subsequent viability—suggest a watershed moment for both organ donation and cryogenics, alike.

Policy/Regulation

1. White House Publishes Cyber Security Strategy Implementation Plan: Immediate initiatives include Federal Acquisition Regulations changes for Internet of Things (IoT) devices, an IoT labeling program, and CISA’s vulnerability disclosure guidelines.

2. Tech Giants Shrugging off Washington’s “Secure By Design” Push: The Biden Administration has called for major providers to tighten admin privileges and make premium security features and logging data more widely available. Absent regulatory backing, firms like Microsoft, AWS, Oracle and others have largely flouted the guidance.

3. European Union Gives Final Nod to Data-Sharing Deal with United States: The move clears the way for thousands of businesses to easily transfer personal information across the Atlantic. Years of negotiations aimed to assuage surveillance concerns by privacy advocates – who may still challenge the framework in court.

Bookmarks

1. Wired: Rising Interest Rates Might Herald the End of the Open Internet

2. Carnegie Endowment: China’s AI Regulations and How they Get Made

3. x0rz on Twitter: "People should realize that fighting against intelligence agencies (i.e. state-actor) is H-A-R-D. And the Cloud isn’t a safe haven. Cloud providers are the prime targets of multiple sophisticated threat actors willing to burn their 0days on them."