This blog post is based on the detailed analysis provided by Microsoft Security Blog on the techniques used by the threat actor tracked as Storm-0558 for unauthorized email access.
Executive Summary
On July 11, 2023, Microsoft published two blogs detailing a malicious campaign by a threat actor tracked as Storm-0558 that targeted customer email. As Microsoft continues its investigation into this incident, they have provided a deeper analysis of the observed actor techniques for unauthorized access to email data, tools, and unique infrastructure characteristics.
Storm-0558 is a China-based threat actor with espionage objectives. Beginning May 15, 2023, Storm-0558 used forged authentication tokens to access user email from approximately 25 organizations, including government agencies and related consumer accounts in the public cloud. Microsoft has successfully blocked this campaign from Storm-0558.
Actor Overview
Microsoft Threat Intelligence assesses with moderate confidence that Storm-0558 is a China-based threat actor with activities and methods consistent with espionage objectives. While there are some minimal overlaps with other Chinese groups such as Violet Typhoon (ZIRCONIUM, APT31), Storm-0558 operates as its own distinct group.
Storm-0558 has primarily targeted US and European diplomatic, economic, and legislative governing bodies, and individuals connected to Taiwan and Uyghur geopolitical interests. The objective of most Storm-0558 campaigns is to obtain unauthorized access to email accounts belonging to employees of targeted organizations. Storm-0558 pursues this objective through credential harvesting, phishing campaigns, and OAuth token attacks.
Actor Techniques
Storm-0558 acquired an inactive MSA consumer signing key and used it to forge authentication tokens for Azure AD enterprise and MSA consumer to access OWA and Outlook.com. All MSA keys active prior to the incident – including the actor-acquired MSA signing key – have been invalidated. Azure AD keys were not impacted. The method by which the actor acquired the key is a matter of ongoing investigation.
Once authenticated through a legitimate client flow leveraging the forged token, the threat actor accessed the OWA API to retrieve a token for Exchange Online from the GetAccessTokenForResource API used by OWA. The actor was able to obtain new access tokens by presenting one previously issued from this API due to a design flaw.
Actor Tooling
Storm-0558 uses a collection of PowerShell and Python scripts to perform REST API calls against the OWA Exchange Store service. The generated web requests can be routed through a Tor proxy or several hardcoded SOCKS5 proxy servers. The scripts contain highly sensitive hardcoded information such as bearer access tokens and email data, which the threat actor uses to perform the OWA API calls.
Actor Infrastructure
During significant portions of Storm-0558’s malicious activities, the threat actor leveraged dedicated infrastructure running the SoftEther proxy software. Proxy infrastructure complicates detection and attribution of Storm-0558 activities.
Indicators of Compromise (IOCs)
Microsoft has provided a list of IOCs related to the Storm-0558 campaign. These IOCs include IP addresses used by the threat actor, the thumbprint of the acquired signing key, and SHA-1 hashes of the sign-in pages used by the threat actor. You can find the complete list of IOCs in the original Microsoft Security Blog post.
- 51.89.156[.]153
- 176.31.90[.]129
- 137.74.181[.]100
- 193.36.119[.]45
- 185.158.248[.]159
- 131.153.78[.]188
- 37.143.130[.]146
- 146.70.157[.]45
- 185.195.200[.]39
- 185.38.142[.]229
- 146.70.121[.]44
- 31.42.177[.]181
- 185.51.134[.]52
- 173.44.226[.]70
- 45.14.227[.]233
- 185.236.231[.]109
- 178.73.220[.]149
- 45.14.227[.]212
- 91.222.173[.]225
- 146.70.35[.]168
- 146.70.157[.]213
- 31.42.177[.]201
- 5.252.176[.]8
- 80.85.158[.]215
- 193.149.129[.]88
- 5.252.178[.]68
- 116.202.251[.]8
- 185.158.248[.]93
- 20.108.240[.]252
- 146.70.135[.]182
MITRE ATT&CK TTPs
The tactics, techniques, and procedures (TTPs) used by Storm-0558 align with several entries in the MITRE ATT&CK framework. These include:
- T1078: Valid Accounts: Storm-0558 used valid account credentials to sign into compromised user’s cloud email accounts.
- T1114: Email Collection: The threat actor collected information from the email account over the web service.
- T1566: Phishing: Storm-0558 has been observed to obtain credentials for initial access through phishing campaigns.
- T1190: Exploit Public-Facing Application: The actor has also exploited vulnerabilities in public-facing applications to gain initial access to victim networks.
Recommendations
Microsoft has mitigated this activity on their customers’ behalf for Microsoft services. No customer action is required to prevent threat actors from using the techniques described above to access Exchange Online and Outlook.com.
This blog post is intended to provide a comprehensive overview of the Storm-0558 threat actor and their techniques based on the analysis provided by Microsoft. For more detailed information, please refer to the original Microsoft Security Blog post.