Microsoft is challenging a recent report that suggests Chinese hackers may have had access to more parts of victims' systems than previously known. The hackers targeted multiple organizations, including government agencies, and managed to gain access to the emails of high-profile individuals, such as the U.S. Commerce Secretary and the U.S. Ambassador to China. The method used to breach security involved using an inactive consumer signing key to forge authentication tokens for the multifactor authentication service Azure Active Directory.
According to the security company Wiz, which published the report, the compromised signing key had broader implications than initially believed. The hackers potentially could have forged access tokens for various Microsoft programs, including Outlook, SharePoint, Teams, and OneDrive, as well as certain customer applications that support the "login with Microsoft" functionality.
While Microsoft revoked the compromised key, concerns remain about the extent of the attack and its potential impact on cloud security. The incident is still under investigation, making it challenging for organizations to fully understand how to protect themselves from similar attacks. The report also raises questions about when and how the hackers acquired the key and whether other keys were compromised.
In response to the report, Microsoft has emphasized that the claims made are speculative and not based on evidence. The company encourages customers to refer to its published blogs about the incident and focus on the indicators of compromise provided.
The attack highlights the knowledge and resources possessed by the threat actors, and the incident serves as a reminder of both the advantages and disadvantages of cloud services. While the cloud can assist in investigating and resolving intrusions for customers, a breach can have far-reaching consequences, affecting multiple organizations and their valuable data.
Though the hack has not been officially attributed to China by CISA (Cybersecurity and Infrastructure Security Agency), the State Department expressed confidence in Microsoft's assessment connecting the attack to hackers linked to the Chinese government. The Chinese Embassy has strongly denied any involvement in the incident.