For many IT professionals, moving to the cloud has been a godsend. Instead of protecting your data yourself, let the security experts at Google or Microsoft protect it for you. But when a single stolen key can allow hackers to gain access to cloud data from multiple organizations, the deal starts to sound even more dangerous.
Tuesday evening, Microsoft to be revealed that a Chinese hacker group, known as Storm-0558, did the same. The group, which focuses on espionage against Western European governments, found the Outlook email accounts of 25 different organizations, including several government agencies.
These targets include US government agencies including the State Department, according to CNN, although US authorities are still working to determine the extent of the breach. An advice from the US Cybersecurity and Infrastructure Security Agency says the breach, which was discovered in mid-June by a US government agency, stole anonymous emails “from a few accounts.”
China has been hacking Western networks for years. But the latest attack uses a unique trick: Microsoft says hackers stole a secret key that allowed them to create authentication “tokens” — information that proves their identity — giving them access to dozens of Microsoft customer accounts.
“We trust passports, and someone stole a passport printer,” says Jake Williams, a former NSA hacker who now teaches at the Institute for Applied Network Security in Boston. “For a big shop like Microsoft, where so many customers were affected – or who would have been affected by this – it’s unprecedented.”
In web-based cloud computing, users’ browsers connect to a remote server and, when they enter information such as usernames and passwords, they are assigned a small piece of data, known as a token, from that server. The token acts as a temporary identifier that allows users to come and go as they please within the cloud while occasionally re-issuing their credentials. To ensure that the token cannot be tampered with, it is privately signed with a unique set of data known as a certificate or key that the cloud service has, a type of unforgettable stamp of authenticity.
Microsoft, instead blog post to reveal the breach of China Outlook, has described a two-stage type of verification system. First, hackers stole the keys Microsoft uses to sign tokens for consumers using its cloud services. Second, hackers exploited a flaw in Microsoft’s token authentication system, which allowed them to sign consumer keys with stolen keys and then use them instead to access business systems. All this happened even though Microsoft tried to check the signature from different keys of different types.
Microsoft says it has now blocked all tokens signed with the stolen key and replaced the key with a new one, preventing hackers from accessing victim systems. The company adds that it has also improved the security of its “monitoring system” since the theft.
But exactly how such a sensitive key, allowing such great access, could be stolen in the first place is unclear. WIRED contacted Microsoft, but the company declined to comment.
With no details from Microsoft, one theory about how the theft occurred is that the signature key was not stolen from Microsoft at all, according to Tal Skverer, who leads research on Astrix security, which previously reported this. A year revealed a security problem in Google’s cloud. In older Outlook installations, the service is managed and managed on the client’s server rather than in the Microsoft cloud. This could have allowed attackers to steal keys from one of the “on-premise” installations on the customer’s network.