U.S. Agencies on Alert: China-Linked Cyber Espionage Campaign Unearthed

Reading Time: ( Word Count: )

July 13, 2023

In the middle of June 2023, an unidentified U.S. investigation by the Federal Civilian Executive Branch (FCEB) agency into unusual email activity resulted in the discovery of a new cyberspying campaign that was purportedly linked to China and targeted roughly two dozen institutions. 

The information emerged from a combined cybersecurity warning issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) on July 12, 2023.

In their announcement, authorities stated, “An anomalous pattern was detected in the Microsoft 365 (M365) cloud environment of a Federal Civilian Executive Branch (FCEB) agency in June 2023. Subsequent investigation by Microsoft revealed that advanced persistent threat (APT) actors had gained unauthorized access and downloaded non-classified data from Exchange Online Outlook.”

While the government entity involved was not disclosed, CNN and the Washington Post suggested it was the U.S. State Department, based on sources with knowledge of the situation. Other targets reportedly included the Commerce Department, an email account of a congressional aide, a U.S. human rights campaigner, and U.S. think tanks. The number of affected U.S. organizations is believed to be in single figures.

Also Read: “Microsoft’s Massive Security Patch: Spotlight on Six Zero-Day Vulnerabilities”

U.S. Agencies on Alert

This revelation came hot on the heels of Microsoft assigning the operation to a newly identified “China-based cyber threat,” Storm-0558, known mainly for targeting Western European government agencies and for data theft and espionage. Accumulated evidence indicates that the harmful activity was initiated a month before detection.

China has vehemently denied involvement in the cyber attack, dubbing the U.S. “the world’s foremost hacking empire and cyber thief”. The Chinese government further demanded that the U.S. clarify its cyber attack operations and cease disseminating false information to distract the public.

The infiltration process reportedly involved cyber spies creating counterfeit authentication tokens to access customer email accounts via Outlook Web Access in Exchange Online (OWA) and Outlook.com. These false tokens were produced using a fraudulently obtained Microsoft account (MSA) consumer signing key, although the precise method remains undisclosed.

Two custom malware tools, Bling and Cigril, were also allegedly employed by Storm-0558 to gain unauthorized access. Cigril is a trojan that decrypts encrypted files and runs them straight from system memory to avoid detection.

CISA acknowledged the FCEB agency’s success in detecting the breach by employing enhanced logging in Microsoft Purview Audit, precisely the MailItemsAccessed mailbox-auditing action.

Furthermore, the agency strongly advises organizations to activate Purview Audit (Premium) logging, switch on Microsoft 365 Unified Audit Logging (UAL), and guarantee logs are accessible to operators for hunting such activities and distinguishing them from regular operations within the environment.

“Entities are urged to identify anomalies and familiarize themselves with standard patterns to discern between abnormal and normal traffic,” CISA and FBI concluded.

Saher Mahmood

Saher Mahmood


Saher is a cybersecurity researcher with a passion for innovative technology and AI. She explores the intersection of AI and cybersecurity to stay ahead of evolving threats.

Other interesting articles

Automated vs Manual Penetration Testing

Automated vs Manual Penetration Testing

Pentesting is largely divided into two methodologies: Automated vs Manual Penetration Testing. Both have ...
8 Steps in Penetration Testing You Should Know

8 Steps in Penetration Testing You Should Know

Mastering the art of penetration testing has become a critical ability for security experts to combat cyber ...
Spear Phishing vs Whaling: What is the Difference

Spear Phishing vs Whaling: What is the Difference

Spear phishing is a particularly devious type of phishing assault in which the individual targeted plays a ...
How Often Should Penetration Testing Be Done

How Often Should Penetration Testing Be Done

Penetration testing is a crucial technique that involves simulating a cyberattack on networks, computer systems, ...

Submit a Comment

Your email address will not be published. Required fields are marked *