The recently discovered Chinese cyber-espionage campaign against key endpoints in the West continues to send out ripples through the cybersecurity world, as Microsoft announces plans to offer some of its tools for free.
A report by the Wall Street Journal claims the Redmond giant is planning on offering some security tools for free, including those that were used by the State Department to spot the intrusion in the first place.
This follows a June 2023 incident where the US State Department informed Microsoft of an intrusion in its email inbox. Further analysis discovered that a Chinese threat actor, known as Storm-0558, used forged authentication tokens and a stolen Microsoft account consumer signing key to access the inboxes. The attackers were lurking in the emails for roughly a month, during which they managed to access some sensitive data, although it’s impossible to determine the exact scope of the intrusion.
Now, to better combat similar threats in the future, Microsoft is making 31 critically important security logs available to its customers using cheaper cloud service packages. That includes the email log that the State Department used to spot the attack. Furthermore, the duration of retention for security logs is being extended from 90 to 180 days.
The change is expected to take effect in September 2023.
Vasu Jakkal, a vice president of security at Microsoft, told the Wall Street Journal that the change didn’t come as a result of the Chinese hack, and that it was in the works for quite some time now. The incident did speed up the process, though, with Jakkal noting that, “There was clearly an urgency to get this done, given the sophistication of the landscape.”
Analysis: Why does it matter?
Event logs cannot prevent cyberattacks, but they are an essential tool in spotting unusual activity on the network, through which IT teams can identify and terminate malicious individuals. In this particular case, the State Department used a tool that was only available to Microsoft customers using the company’s highest-tier Microsoft 365 cloud service, known as E5. Other organizations, with lower-tier solutions, had no way of identifying the attack.
“This is a significant step forward to ensuring that every Microsoft customer has the right visibility to detect other threats that we know are targeting American organizations every day,” Eric Goldstein, executive assistant director for cybersecurity at the U.S. Cybersecurity and Infrastructure Security Agency, told the Wall Street Journal. Democratic Sen. Ron Wyden of Oregon praised Microsoft for the idea, but warned about firms putting profit above security: “It shouldn’t have taken multiple disastrous hacks of federal systems for Microsoft to make essential security features standard for government customers, but better late than never,” Wyden said in a statement. “Going forward, federal agencies should insist that software contracts include security logs and other cybersecurity features, so our national security is no longer compromised by a shoddy procurement process.”
The publication also claimed that following the attack, Microsoft faced backlash for putting such an important cybersecurity tool in a tiered system. Even senior officials in the Biden administration, senators, and cybersecurity experts, urged Microsoft not to put these tools behind such a high paywall.
Another problem is the obvious lack of awareness regarding what Microsoft’s cloud services offer for which tier. “I consult with organizations regularly that only find out they are missing these logs when they have to investigate an account takeover,” Jake Williams, a cybersecurity consultant, told the publication.
What have others said about the breach?
The Chinese lashed out at the reports published by Microsoft and the U.S. Government, accusing the United States of being the biggest cyberattacking empire on the planet. In a Metro report, the Chinese foreign ministry spokesman Wang Wenbin was cited as saying: “No matter which agency issued this information, it will never change the fact that the United States is the world’s largest hacker empire conducting the most cyber theft.” “Since last year, the cybersecurity organizations of China and other countries have issued many reports exposing the cyber attacks on China by the US government over a long period of time, but the US has not made a response so far.”
Shobhit Gautam, solutions architect at cybersecurity firm HackerOne, hinted that the Chinese are getting better at cyberattacks: “Storm-0558, speculated to be a state-sponsored actor, is also known to use custom malware such as Cigril and Bling for the purpose of espionage,” Gautam said. “The US DoD, UK’s NCSC, and UK MoD are already working with ethical hackers, with the US DoD having fixed over 45,000 vulnerabilities as a result.”
CISA’s Goldstein described it as a “sophisticated attack”, while Steven Adair, president of Volexity, criticized Microsoft for how it tiered logs. He said Volexity worked with one of the affected firms and “despite a notification from Microsoft regarding unauthorized access, we could not find any corroborating evidence.”
“The incident was invisible to us with the data at our disposal and this was due to the customer’s M365 license level: E3,” he said.
The U.S. and its Western allies have been accusing China of abusing technology for cyber espionage for years now. At one point, Huawei was banned from developing key 5G infrastructure in the West, as lawmakers said the Chinese government could force the firm to install backdoors and use them to spy on Western communications.
Go deeper
If you want to learn more about this attack, make sure to read our initial report. Also, you should read our in-depth guide on what is phishing, what are the best firewalls for an SMB, and our guide on the best malware removal tools right now.
Via: Wall Street Journal