Pages

17 July 2023

What we know (and don’t know) about the government email breach

Tim Starks

Below: Court documents say Twitter didn’t pay fees to a privacy assessor, and Arizona escalates a probe into alleged efforts to swing the 2020 election. First:

Government emails got hacked in a suspected attack on Microsoft from China. Here’s what we know — and some mysteries.

Every day, more information is coming to light about alleged Chinese hackers’ breach of U.S. government emails by exploiting a flaw in Microsoft’s cloud software. But there’s plenty we still don’t know.

Let’s walk through the knowns and unknowns so far, relying heavily on the reporting of my colleagues Ellen Nakashima, Joseph Menn and Shane Harris.

When did it start, and what’s the timeline?

Microsoft said the hackers gained access on May 15. The State Department first discovered the intrusion on June 16 and told the company that day. The timing of the breach falls about a month before Secretary of State Antony Blinken visited China, which made him the first secretary of state to do so in five years.

Microsoft disclosed the hack in a blog post late Tuesday. The company said it began investigating on June 16 and has “successfully blocked” the hackers, which it described as a “China-based actor Microsoft is tracking as Storm-0558.”

Who’s affected and how?

Among U.S. government agencies, the State and Commerce departments are the only victims we know of, at least so far. Commerce Secretary Gina Raimondo, whose department has imposed stiff export controls on Chinese companies, is the only known Cabinet-level official whose email was breached.

The campaign is notably very, very targeted.

A senior Department of Homeland Security official, who like others spoke to my colleagues on the condition of anonymity due to the sensitivity of the matter, counted nine U.S. victims among those targeted, and only a small number of email accounts were successfully compromised.

Microsoft said 25 total organizations around the globe got hacked.

Other targets include a congressional staffer, U.S. think tanks and a U.S. human rights activist, according to officials and security professionals.

A senior FBI official said there’s no evidence the hackers got any classified information or accessed anything beyond email inboxes. But the breaches gave China insights in advance of Blinken’s China trip, two senior Biden administration officials said in a story by Kylie Atwood of CNN. Raimondo also has a pending trip to China.

Who’s looking into it?

The FBI is still investigating.

Blinken raised the issue of China’s hacking during a meeting between U.S. and Chinese diplomats in Indonesia on Thursday, Bloomberg News reported. But the State Department didn’t say whether he directly confronted his counterpart over the Microsoft attack.

The United Kingdom’s National Cybersecurity Centre also said on Thursday that it is probing what happened and how widespread it is in that country, and is staying in touch with Microsoft about it, per James Pearson of Reuters.

Who’s behind the attack?

Microsoft blamed a China-based attacker that’s focused on espionage. While the espionage motive usually suggests government-connected hackers, Microsoft didn’t specify any links.

Senate Intelligence Committee Chairman Mark R. Warner (D-Va.) also pointed to the Chinese government, also known as the PRC, in a news release. “The Senate Intelligence Committee is closely monitoring what appears to be a significant cybersecurity breach by Chinese intelligence,” he said. “It’s clear that the PRC is steadily improving its cyber collection capabilities directed against the U.S. and our allies.”

But the Biden administration has notably neither attributed the attack to China nor said anyone specific at all was behind it. An FBI official did say that the administration would “impose costs” on the responsible party.

That lack of attribution didn’t keep China from lashing out at the U.S. government. Here’s Chris Bing of Reuters with the Chinese response:

Lengthy comment from chinese foreign ministry on today’s news in which the USG/microsoft discovered a stealthy, highly sophisticated chinese cyber espionage operation against federal agencies: pic.twitter.com/B4V3dnjV7H— Chris Bing (@Bing_Chris) July 12, 2023

How did they do it?

This is where some of the biggest mysteries remain.

The hackers used forged authentication tokens to get into the email accounts using “an acquired Microsoft account consumer signing key,” wrote Charlie Bell, executive vice president of security at Microsoft Security.

But U.S. officials are still investigating how, precisely, the attackers got the signing keys — extremely valuable tools — from Microsoft. “That is an area of urgent focus,” the DHS official said.

And Microsoft isn’t answering additional questions from media outlets about what happened — not even to say whether they’ll ever reveal the precise vulnerability, as Jon Greig of the Record said on Twitter:

@Microsoft told me that none of the Patch Tuesday releases were connected to the attack on U.S. government Outlook accounts.

But they declined to say what the exploited vulnerability is and whether it will ever be revealed@TheRecord_Media #Microsofthttps://t.co/jThy3CcRX3— jon greig (@jgreigj) July 13, 2023

Some outside observers offered this to Ellen, Joseph and Shane:
Adam Meyers, senior vice president of intelligence at CrowdStrike, suggested that an insider could have hacked or compromised Microsoft. That’s because the hackers could only create that key with “a more powerful internal key controlled by Microsoft,” as my colleagues said in paraphrasing Meyers.
“This attack used a stolen key that Microsoft’s design failed to properly validate,” said Jason Kikta, chief information security officer at Automox and former head of private sector partnerships at U.S. Cyber Command. “The inability to do proper validation for authentication is a habit, not an anomaly.”

Over at Wired, Andy Greenberg solicited yet more theories, some more troubling than others. Ultimately, said Jake Williams, a former National Security Agency hacker who currently teaches at the Institute for Applied Network Security, Microsoft hasn’t answered key questions, and he said “I think there’s a lot more transparency that we should expect.”

What are the policy questions?

The Biden administration has been urging tech companies to make their products secure-by-default, part of which means making them secure with no additional paid security services required.

After Microsoft vulnerabilities figured into the landmark SolarWinds hack, Microsoft gave more free log access to government customers, giving agencies more insight into activity on their networks. The DHS official said that helped the government discover the May intrusions.

But there are some haves and have-nots here. Not everyone gets access to that level of log access.

“It is our perspective that every organization using a technology service like Microsoft 365 should have access to logging and other security data out of the box,” the DHS official said.

Read more on the Microsoft logging particulars in this story from Robert McMillan and Dustin Volz of the Wall Street Journal.

A second and related issue dovetails with concerns about Microsoft’s ubiquity as a software vendor to the U.S. government, the subject of an amendment to the Senate version of the annual defense policy bill.

At least one official at a Microsoft competitor took note of the breached emails to raise the same concern. Here’s Amit Zavery, vice president/general manager and head of platform for Google Cloud, speaking out on Twitter (with his caveat that “views and comments are my own”) in an echo of past arguments

Security is a team sport, but it’s hard to defend when only one team is giving up goals. “Monoculture” in govt productivity software creates an easy attack surface. I hope this latest in a series of incidents pushes the U.S. govt to look at alternatives. https://t.co/NW0AGGkgt1— Amit Zavery (@azavery) July 13, 2023

The keys

Twitter didn’t pay privacy assessor following Musk takeover, court documents say

A Twitter legal complaint cited by House Republicans in a Thursday hearing omitted key information from a deposition related to company allegations that the Federal Trade Commission tried to influence independent auditor Ernst & Young, the firm hired to assess Twitter’s compliance with an FTC data security order, our colleague Cat Zakrzewski reports.

Cat writes: “David Roque, an Ernst & Young partner, told lawyers during a deposition last month that Ernst & Young contacted Twitter weekly, repeatedly asking the company to pay outstanding invoices totaling $500,000. He said the firm parted ways with the company amid ‘constant turnover’ on Twitter’s executive team.”
The report adds: “‘There would have been a large burden on a smaller number of people to execute the same control structure,’ Roque told an FTC investigator, who asked how the ‘resource constraints’ would affect Twitter’s data security program.”

The developments come amid a standoff between the consumer protection regulator and social media company owned by Elon Musk. The FTC under Chair Lina Khan has recently warned Twitter that its failure to respond to agency requests puts it out of a consent order.

“The agency has also said it will consider Twitter in violation of its order if Musk does not appear for a deposition July 25 in San Francisco,” Cat adds.

House and Senate lawmakers introduce bill to revamp FISMA, a key government cybersecurity bill

House and Senate lawmakers unveiled a bill this week to revamp the Federal Information Security Modernization Act (FISMA) in an effort to modernize and address governmental changes in the federal cybersecurity landscape.

“The Federal Information Security Modernization Act of 2023 will improve coordination across the federal government to help civilian federal agencies and contractors protect their networks against cybersecurity threats,” according to a release by lawmakers that adds that the bill “also clarifies roles and responsibilities for key agencies that lead federal information security policy and operations.”

The bill would overhaul a 2014 version of FISMA and aims to support more effective federal cybersecurity practices and improve coordination between the Office of Management and Budget (OMB) and major federal cyber agencies.

For instance, FISMA 2023 would direct all civilian agencies to report cyberattacks to Congress and the Cybersecurity and Infrastructure Security Agency and grants CISA additional cyber incident response authorities.

The bill also requires OMB “to develop guidance for federal agencies to use so they can efficiently allocate the cybersecurity resources they need to protect their networks,” according to the committee.

The bill is backed by a slew of cyber-focused lawmakers, including Senate Homeland Security Committee Chairman Gary Peters (D-Mich.) and Sen. Josh Hawley (R-Mo.); House Oversight Committee Chairman James Comer (R-Ky.) and the committee’s top Democrat, Jamie Raskin (D-Md.); and the top lawmakers on the Oversight Committee’s cybersecurity and IT subcommittee, Reps. Nancy Mace (R-S.C.) and Gerald E. Connolly (D-Va.).

Correction: The headline of a previous version of this story referred to FISA instead of FISMA. This version has been updated.

Arizona escalates probe into alleged efforts to swing 2020 election toward Trump

Arizona’s head prosecutor is expanding a criminal investigation into alleged attempts by Republicans to overturn the results of the 2020 presidential election in the state when they signed and transmitted paperwork declaring former president Donald Trump the winner, our colleague Yvonne Wingett Sanchez reports, citing two people familiar with the matter.

Yvonne writes: “Arizona Attorney General Kris Mayes (D) assigned a team of prosecutors to the case in May, and investigators have contacted many of the pro-Trump electors and their lawyers, according to the two people who spoke on the condition of anonymity to candidly describe the probe.”

“Investigators have requested records and other information from local officials who administered the 2020 election, the two people said, and a prosecutor has inquired about evidence collected by the Justice Department and an Atlanta-area prosecutor for similar probes,” the report adds.

The investigation is in a “fact-gathering” phase, said Dan Barr, Mayes’s chief deputy, who also declined to say whether subpoenas have been issued.

“This is one of several investigations into attempts to overturn the election results,” Yvonne notes. “There is a federal criminal probe being led by special counsel Jack Smith, who was appointed by Attorney General Merrick Garland to examine the sprawling efforts in several states intended to reverse Trump’s loss.”

No comments:

Post a Comment