Chinese hackers obtained a consumer signing key that was used to breach U.S. officials’ emails earlier this year through a Microsoft engineer’s account, the company said Wednesday.
An investigation into the breach found that a consumer signing system crash in April 2021 produced a snapshot of the crash process, also known as a crash dump, that incorrectly contained the consumer signing key, Microsoft said.
The crash dump and signing key were then moved from the company’s “isolated” production network into its internet-connected corporate network as part of the standard debugging process
The Chinese hackers tied to the breach, known as Storm-0558, were able to access the debugging environment that contained the signing key through the corporate account of a Microsoft engineer. The key was then used to forge authentication tokens to access the emails.
The company first revealed in July that the Chinese-based cyber actor had gained access to email accounts from 25 organizations in the public cloud, including U.S. federal agencies, as part of an intelligence-gathering effort.
Microsoft said it began investigating the breach in mid-June in response to a customer report and found that hackers had gained access to the accounts starting in mid-May. National security advisor Jake Sullivan said the U.S. government was the first to discover the breach.
The breach reportedly impacted the State and Commerce departments, including Commerce Secretary Gina Raimondo, according to The Washington Post. However, the hackers did not gain access to any classified information, as the emails they targeted were unclassified, Sullivan said.
Republican lawmakers on the House Oversight and Accountability Committee announced last month that they were launching an investigation into the data breach and asked Raimondo and Secretary of State Antony Blinken for briefings about the “extent and ramifications” of the breach in their departments.