The agencies involved have not been confirmed, but some seem to think that the targets were the US State Department, the Department of Commerce, an unnamed congressional staffer, several US think tanks, and an unnamed US human rights activist. These are all unconfirmed but are coming from different “sources close to the matter” via general press outlets. If these targets are accurate, it is not surprising given recent visits and events happening and an increased tension between the US/NATO and Russian/China.

The new group was identified by Microsoft on the 11th of July and is being tracked as Storm-0558. Microsoft, who was involved in the incident response, has said that the group was able to access the accounts and exfiltrated unclassified data. They also note that Storm-0558was able to forge access tokens through the use of a Microsoft Account signing key although they have either not identified or disclosed how the attacker was able to gain access to the MSA signing key. This is not some basic script kiddies here but does show the work of a much more organized and sophisticated group (possibly state sponsored as already suspected). The APT group was also found to be using custom malware in their attacks with allowed for execution of files in memory after decrypting them to help avoid detection.

The combined CISA and FBI report indicates that the original detection was via Microsoft365 Event logs. Organizations are encouraged to ensure they have universal logging enabled at all times to capture potentially anomalous events. CISA does have a long list of security configurations that are listed as minimums (lots of use of “MUST”). All of these configurations make sense and are advisable. However, not every licensing level gets the same access to specific logs (outside of government organizations). This leaves something of a disparity in what can be enabled to keep MS365 environments more aware of potential security events. Services like Microsoft Purview are additional purchases even for enterprise licensing although the security and compliance center does still have many options to give broader awareness. Enabling universal logging and monitoring for forwarding rules, email access, view, and move/delete are also highly recommended as attackers often start off a campaign by creating rules to mask their activities.

The emergence of a new APT group like Storm-0558 shows that organizations cannot rely on just having things in the cloud to protect their data. They must ensure they are looking for threats and executing good processes when they are detected. To accomplish this, they need the right teams with the right skillsets. I understand that many organizations budgets are tight and cybersecurity spending is only viewed as a cost and not a guarantee of maintaining revenue like it should be. If clou environments like MS365 are not properly cared for now with the right spending, you will just pay for the same thing later only with the added bonus of fines, legal fees, and reputational harm.
Stay safe out there