Hackers targeted the US official who is cracking down on trade with China

US commerce secretary Gina Raimondo traded barbs with Chinese commerce minister Wang Wentao in May

We may earn a commission from links on this page.
Image for article titled Hackers targeted the US official who is cracking down on trade with China
Photo: Sarah Silbiger (Reuters)

Chinese hackers have breached the email systems of officials from more than 20 different agencies around the world, including in the US, gaining access to dozens of confidential emails hosted by Microsoft, according to the software company and the White House.

At the center of the cyber attack, the Washington Post reports, are the email accounts of US Commerce Department secretary Gina Raimondo as well as those of other officials at her agency and at the US State Department; they were breached just weeks before secretary of State Antony Blinken traveled to Beijing in June for talks on their relations and trade.


Blinken’s visit to China had followed the spy balloon saga that further strained relations between the countries.

During a cabinet-level meeting in Washington in May, Raimondo and Chinese commerce minister Wang Wentao disagreed over several policies on trade, investment, and export controls. This further heightened the tensions between Beijing and Washington. Raimondo has previously advised US companies to move with caution when investing in China.


How the Microsoft email breach happened

In addition to carrying out one of the biggest cyber espionage campaigns against the US, the hackers, known as Storm-0558 according to Microsoft, primarily targeted government agencies in western Europe and focused on intelligence, data theft, and credential access.

“Our investigation revealed that beginning on May 15, 2023, Storm-0558 gained access to email accounts affecting approximately 25 organizations including government agencies as well as related consumer accounts of individuals likely associated with these organizations,” Microsoft said in a July 11 statement.

The company’s analyses determined that Storm-0558 gained access to customer email accounts using Outlook Web Access in Exchange Online (OWA) and Outlook.com by falsifying authentication tokens to access emails using an acquired Microsoft account (MSA) consumer signing key. Microsoft says it has “completed mitigation of this attack for all customers.”


Microsoft’s MSA (consumer) keys and Azure AD (enterprise) keys are issued and managed from separate systems and are only valid for their specific protocols. But the hackers used a token validation loophole to impersonate Azure AD users and gain access to enterprise mails.

In a May 24 cyber alert, the software maker revealed that another Chinese hacker group, named Volt Typhoon, had been conducting malicious cyber activities on US cyber infrastructure via Guam, an island territory in the north Pacific Ocean that hosts three critical American military bases. In a press statement then, the director of the US Cybersecurity and Infrastructure Security Agency, Jen Easterly, said China’s “aggressive cyber operations” aim to “steal intellectual property and sensitive data from organizations around the globe.”