Storm-0558 Forensic Analysis

By Kevin Lanier on March 7, 2025

Executive Summary

On June 16th 2023, Microsoft disclosed that a Chinese cybercriminal group known as “Storm-0558” exploited a vulnerability in their cloud authentication system. The group was able to steal email credentials from the US government, European entities and private companies. The attack was possible due to a stolen signing key, which allowed the group to forge authentication tokens and access cloud-based services. Microsoft updated logging and monitoring to detect login attempts using the spoofed tokens on top of invalidating the compromised MSA signing key to prevent further access. Organizations using Microsoft cloud services should strengthen identity security, enforce stricter authentication policies, and implement robust monitoring to prevent similar threats.

Background

Storm-0558 is a China-based threat actor, primarily engaged in cyber-espionage activities. This group has been active since at least August 2021, focusing on credential harvesting, phishing campaigns, and OAuth token attacks to gain unauthorized access to email accounts of targeted organizations [2]. Storm-0558 preys on US and European governing bodies and individuals connected to Taiwan and Uyghur geopolitical interests. For their Microsoft cloud authentication exploit, the group stole information from a cryptographic signing key, which is a private key used to generate digital signatures that verify the authenticity and integrity of data. The cryptographic signing key information they stole allowed the attackers to forge authentication tokens and gain access to Microsoft cloud services.

Impact

Microsoft disclosed the damage Storm-0558 did to their cloud authentication system users on June 16th 2023. Subsequent investigations revealed that the cybercriminals had been accessing email data since May 15, 2023 [3]. Within that time, they gained access to email data from approximately 25 organizations. This breach compromised the security and privacy of their communications, leaving them vulnerable to further cyberattacks or misuse of their data. Microsoft invalidated the compromised MSA signing key and updated their monitoring criteria to prevent further access. 

Storm-0558 uses the stolen data to monitor communications and gather intelligence on target organizations. These attacks appear to align with the strategic interests of the Chinese government by giving them an intelligence advantage over rival nation-states. This information could also be used for more sophisticated and damaging cyberattacks in the future. An example of this would be the Cicada group’s 2023 attack on telecommunications and technology companies. The attackers previously gathered detailed information about these organizations’ networks and infrastructure, which allowed them to carefully plan and execute a more precise attack [4]. Similarly, Storm-0558 could use the cloud attack to propagate future incidents.

Mitigation

Homeland Security’s Cyber Safety Review Board found that the Storm-0558 attack was preventable and resulted from Microsoft’s inadequate security prioritization [6]. Microsoft could have implemented modern security controls and threat models. For example, they could have used Cloud Security Alliance’s Cloud Controls Matrix (CCM), which adds additional layers of security on top of data encryption such as secure key storage. This could have mitigated key theft and role assignment to prevent unauthorized access or misuse of encrypted materials [1]. Publicly sharing a security reform plan with specific timelines can hold Microsoft accountable. Lastly, government and private sectors should enhance cloud security practices and risk management. If Microsoft and their partnering businesses layered these crucial mitigation strategies, it’s possible that Storm-0558 wouldn’t have been successful even with the stolen signing key information.

Relevance

State-sponsored espionage groups like Storm-0558 pose a significant threat due to their resources, expertise, and strategic objectives. Their activities can strain international relations with the countries involved. These cyberattacks along with other provocations from the aggressor can lead to all-out war with the countries involved. One example is the Russo-Ukrainian War. Russian cyber operations targeting Ukraine have been documented extensively, particularly following the annexation of Crimea in 2014 [5]. These activities intensified in the years leading up to the 2022 invasion. The activities of groups like Storm-0558 exemplify the sophisticated and damaging nature of state-sponsored cyber-espionage. Their operations not only threaten the security of targeted entities but also have broader implications for international relations and economic stability.

References

[1] Cloud Security Alliance. (2024, November 2). CCM Video Series – CEK: Cryptography, Encryption, and Key Management. Cloud Security Alliance. https://cloudsecurityalliance.org/artifacts/ccm-video-series-cek-cryptography-encryption-and-key-management

[2] Microsoft. (2023, July 14). Analysis of Storm-0558 Techniques for Unauthorized Email Access. Microsoft Security Blog. https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/

[3] Microsoft. (2023, July 11). Mitigating Storm-0558, a China-based threat actor targeting email systems. Microsoft On the Issues. https://blogs.microsoft.com/on-the-issues/2023/07/11/mitigation-china-based-threat-actor/

[4] O’Donnell-Welch, L. (2022, April 6). APT10 Espionage Attacks on U.S. Orgs Uncovered. Decipher. https://duo.com/decipher/apt10-espionage-attacks-on-u-s-orgs-uncovered

[5] Przetacznik, J. and S. TarpovaGstrein, O. (2022, June 20). Cybersecurity in the EU Common Security and Defence Policy (CSDP). European Parliamentary Research Service. https://www.europarl.europa.eu/RegData/etudes/BRIE/2022/733549/EPRS_BRI(2022)733549_EN.pdf

[6] U.S. Department of Homeland Security. (2024, April 2). Cyber Safety Review Board Releases Report on Microsoft Online Exchange Incident from Summer 2023. Department of Homeland Security. https://www.dhs.gov/archive/news/2024/04/02/cyber-safety-review-board-releases-report-microsoft-online-exchange-incident-summer