In the middle of June 2023, an unidentified U.S. investigation by the Federal Civilian Executive Branch (FCEB) agency into unusual email activity resulted in the discovery of a new cyberspying campaign that was purportedly linked to China and targeted roughly two dozen institutions. 

The information emerged from a combined cybersecurity warning issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) on July 12, 2023.

In their announcement, authorities stated, “An anomalous pattern was detected in the Microsoft 365 (M365) cloud environment of a Federal Civilian Executive Branch (FCEB) agency in June 2023. Subsequent investigation by Microsoft revealed that advanced persistent threat (APT) actors had gained unauthorized access and downloaded non-classified data from Exchange Online Outlook.”

While the government entity involved was not disclosed, CNN and the Washington Post suggested it was the U.S. State Department, based on sources with knowledge of the situation. Other targets reportedly included the Commerce Department, an email account of a congressional aide, a U.S. human rights campaigner, and U.S. think tanks. The number of affected U.S. organizations is believed to be in single figures.

Also Read: “Microsoft’s Massive Security Patch: Spotlight on Six Zero-Day Vulnerabilities”

This revelation came hot on the heels of Microsoft assigning the operation to a newly identified “China-based cyber threat,” Storm-0558, known mainly for targeting Western European government agencies and for data theft and espionage. Accumulated evidence indicates that the harmful activity was initiated a month before detection.

China has vehemently denied involvement in the cyber attack, dubbing the U.S. “the world’s foremost hacking empire and cyber thief”. The Chinese government further demanded that the U.S. clarify its cyber attack operations and cease disseminating false information to distract the public.

The infiltration process reportedly involved cyber spies creating counterfeit authentication tokens to access customer email accounts via Outlook Web Access in Exchange Online (OWA) and Outlook.com. These false tokens were produced using a fraudulently obtained Microsoft account (MSA) consumer signing key, although the precise method remains undisclosed.

Two custom malware tools, Bling and Cigril, were also allegedly employed by Storm-0558 to gain unauthorized access. Cigril is a trojan that decrypts encrypted files and runs them straight from system memory to avoid detection.

CISA acknowledged the FCEB agency’s success in detecting the breach by employing enhanced logging in Microsoft Purview Audit, precisely the MailItemsAccessed mailbox-auditing action.

Furthermore, the agency strongly advises organizations to activate Purview Audit (Premium) logging, switch on Microsoft 365 Unified Audit Logging (UAL), and guarantee logs are accessible to operators for hunting such activities and distinguishing them from regular operations within the environment.

“Entities are urged to identify anomalies and familiarize themselves with standard patterns to discern between abnormal and normal traffic,” CISA and FBI concluded.