Microsoft announced Tuesday that they mitigated an attack by a China-based threat actor that targeted cloud-based customer emails in Microsoft 365 at about 25 organizations. They tied the attacks to a threat group Microsoft tracks as Storm-0558, a cyber-espionage group focused on collecting sensitive information by penetrating email systems using forged authentication tokens.
According to a Microsoft advisory, Storm-0558 primarily targets government agencies in Western Europe and focuses on espionage, data theft, and credential access, but mainstream news outlets reported late Wednesday that both the Commerce and State departments were hacked, including Commerce Secretary Gina Raimondo.
Most security pros know that Microsoft offers several audit logging features across its suite of services. These features help organizations monitor user activity, detect unusual or potentially harmful behavior, and meet compliance requirements. For instance, in Microsoft 365, an admin has to access the unified audit log, which includes events from Exchange Online, SharePoint Online, OneDrive for Business, Azure AD, Microsoft Teams, and other services. It can record a variety of events such as file and page activities, login events, and admin activities.
Accessing and understanding these logs requires a certain level of technical understanding. Microsoft offers wide-ranging documentation to guide users through the process, and the user interface has been designed to be as intuitive as possible. It's worth noting that the audit logs are not enabled by default and admins need to turn them on manually. There’s also a delay of up to 24 hours or more before the audit logs appear in the search results in the security and compliance center. Furthermore, the logs are retained for a limited period, unless additional measures are taken for longer retention.
The impact of an attack can be severe as it can let an attacker impersonate legitimate users, access sensitive data, and move laterally within an organization's network undetected. My team would approach this kind of state-sponsored cyber-attack by taking the following steps:
- Depend on threat intelligence for understanding: It's crucial to understand the modus operandi of the threat actor, in this case, Storm-0558. The team needs to examine and understand the tactics, techniques, and procedures (TTPs) of this actor to predict future activities. Security teams should use intelligence from reports like the one released by Microsoft to create specific profiles for this threat actor.
- Conduct vulnerability and risk assessment: Evaluate the risk to our organization from Storm-0558 given that they have primarily targeted organizations in Western Europe and the United States. This requires understanding the relevance and the possibility of the attack vectors and methods used by Storm-0558 being successful in our environment.
- Implement preventive measures: Based on the known techniques used by Storm-0558, such as forging authentication tokens, we should reassess and reinforce our authentication mechanisms. This could include measures like strengthening multi-factor authentication (MFA) protocols, reviewing key management systems, and ensuring security patches are up-to-date.
- Offer awareness training: Ensure that the security team and relevant staff members are aware of this threat and can identify potential warning signs. Offer updated training on the new threat, emphasizing the importance of vigilance, reporting suspicious activities, and adhering to established security protocols.
- Encourage stakeholder communications: Keep senior leadership, board members, and other relevant stakeholders informed about the threat and the measures being taken to mitigate it. Clear and timely communication can help manage expectations and reduce potential panic or misinformation.
- Partner with external agencies: Just as Microsoft partnered with CISA, it's essential for to establish and maintain relationships with relevant government agencies, industry associations, and cybersecurity firms. Sharing information about threats and defenses can benefit all involved parties.
- Practice continuous monitoring: Implement and strengthen automated detections for known indicators of compromise associated with this attack. Regularly monitor systems to detect and respond to any signs of intrusion.
- Conduct post-incident analysis: After the threat has been handled, conduct a detailed post-mortem analysis to understand what happened, what was done well, and where the team can improve. Incorporate these lessons into future security plans and strategies.
Our team evaluates all research, including threat intelligence published by Microsoft. However, I must acknowledge that we do not normally consume the kind of research Microsoft posted this week on the Chinese APT group in the same way that Microsoft does. State-sponsored cyber-attacks like these are complex and persistent, requiring ongoing vigilance and a proactive approach to cybersecurity.
The average security team should view research like this as an opportunity to learn, reassess their strategies, strengthen their understanding of the evolving threat landscape, and improve their security posture, even if they cannot fully emulate the response of larger, more specialized cybersecurity firms. When news of state-sponsored attacks breaks, even an average security team should take it seriously and proactively respond. They may not have the resources for deep threat analysis, however, there are always steps businesses can take to protect their organization.
Callie Guenther, cyber threat research senior manager, Critical Start