U.S. Agencies on Alert: China-Linked Cyber Espionage Campaign Unearthed

Reading Time: ( Word Count: )

July 13, 2023

In the middle of June 2023, an unidentified U.S. investigation by the Federal Civilian Executive Branch (FCEB) agency into unusual email activity resulted in the discovery of a new cyberspying campaign that was purportedly linked to China and targeted roughly two dozen institutions. 

The information emerged from a combined cybersecurity warning issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) on July 12, 2023.

In their announcement, authorities stated, “An anomalous pattern was detected in the Microsoft 365 (M365) cloud environment of a Federal Civilian Executive Branch (FCEB) agency in June 2023. Subsequent investigation by Microsoft revealed that advanced persistent threat (APT) actors had gained unauthorized access and downloaded non-classified data from Exchange Online Outlook.”

While the government entity involved was not disclosed, CNN and the Washington Post suggested it was the U.S. State Department, based on sources with knowledge of the situation. Other targets reportedly included the Commerce Department, an email account of a congressional aide, a U.S. human rights campaigner, and U.S. think tanks. The number of affected U.S. organizations is believed to be in single figures.

Also Read: “Microsoft’s Massive Security Patch: Spotlight on Six Zero-Day Vulnerabilities”

U.S. Agencies on Alert

This revelation came hot on the heels of Microsoft assigning the operation to a newly identified “China-based cyber threat,” Storm-0558, known mainly for targeting Western European government agencies and for data theft and espionage. Accumulated evidence indicates that the harmful activity was initiated a month before detection.

China has vehemently denied involvement in the cyber attack, dubbing the U.S. “the world’s foremost hacking empire and cyber thief”. The Chinese government further demanded that the U.S. clarify its cyber attack operations and cease disseminating false information to distract the public.

The infiltration process reportedly involved cyber spies creating counterfeit authentication tokens to access customer email accounts via Outlook Web Access in Exchange Online (OWA) and Outlook.com. These false tokens were produced using a fraudulently obtained Microsoft account (MSA) consumer signing key, although the precise method remains undisclosed.

Two custom malware tools, Bling and Cigril, were also allegedly employed by Storm-0558 to gain unauthorized access. Cigril is a trojan that decrypts encrypted files and runs them straight from system memory to avoid detection.

CISA acknowledged the FCEB agency’s success in detecting the breach by employing enhanced logging in Microsoft Purview Audit, precisely the MailItemsAccessed mailbox-auditing action.

Furthermore, the agency strongly advises organizations to activate Purview Audit (Premium) logging, switch on Microsoft 365 Unified Audit Logging (UAL), and guarantee logs are accessible to operators for hunting such activities and distinguishing them from regular operations within the environment.

“Entities are urged to identify anomalies and familiarize themselves with standard patterns to discern between abnormal and normal traffic,” CISA and FBI concluded.




Saher is a cybersecurity researcher with a passion for innovative technology and AI. She explores the intersection of AI and cybersecurity to stay ahead of evolving threats.

Other interesting articles

Amazon Mistakenly Sends Out Gift Card Confirmations

Amazon Mistakenly Sends Out Gift Card Confirmations

Amazon unintentionally dispatched purchase confirmation emails regarding Hotels.com, Google Play, and Mastercard ...
FBI Flags Escalating Trend of Paired Ransomware Threats

FBI Flags Escalating Trend of Paired Ransomware Threats

The U.S. Federal Bureau of Investigation (FBI) has issued an alert regarding a rising trend of dual ransomware ...
Unraveling the Mystery Behind Discord’s Recent Block Message

Unraveling the Mystery Behind Discord’s Recent Block Message

Users of the renowned communication tool Discord were taken aback today when they were greeted with an alarming ...
Best Phishing Tools for Ethical Hacking in 2023

Best Phishing Tools for Ethical Hacking in 2023

Phishing is one of the most prevalent cyber threats today, seeking to exploit human vulnerabilities rather than ...

Submit a Comment

Your email address will not be published. Required fields are marked *