Skip to main content

Chinese hackers breached US government emails via Microsoft Cloud exploit

Chinese hackers breached US government emails via Microsoft Cloud exploit


The espionage-focused group had access to impacted email data for a month before being detected.

Share this story

A cartoon illustration shows a shadowy figure carrying off a red directory folder, which has a surprised-looking face on its side.
Around 25 organizations and government agencies are believed to be affected by the breach.
Illustration: Beatrice Sala

In two blog posts published on Tuesday, Microsoft disclosed that a China-based hacking group — which the company refers to as “Storm-0558” — is intent on “gaining access to email systems for intelligence collection.” It said the espionage-focused group breached an unidentified number of email accounts linked to around 25 organizations, including some related individual consumer accounts and government agencies in Western Europe and the US. 

According to The Washington Post, it was the US government that notified Microsoft of the exploit. “Officials immediately contacted Microsoft to find the source and vulnerability in their cloud service,” National Security Council spokesperson Adam Hodges said to the publication. “We continue to hold the procurement providers of the US government to a high security threshold.”

The group used forged authentication tokens to access impacted email accounts via Outlook Web Access in Exchange Online (OWA) and from May 15th, remaining undetected for a month until Microsoft began its investigation on June 16th following “customer reported information.”

The attack seemingly hasn’t compromised emails connected to the Pentagon, military, and intelligence community

The hack affected unclassified systems and doesn’t appear to have compromised email accounts linked to the Pentagon, military, or intelligence community, according to The Washington Post’s sources.

Microsoft has contacted and implemented mitigations for all customers targeted during the security breach. The tech giant said it’s hardened its defenses by adding “substantial automated detections” to flag activity associated with the attack and is now working with the Department of Homeland Security’s cyber defense agency to protect affected users. The remaining organizations and government agencies compromised by the hackers have not been disclosed.

Hackers affiliated with the Chinese state were reportedly behind a cyberattack targeting US government security clearance records in 2015 that affected 21.5 million people. The Russia-linked SolarWinds hack in 2020 was initially believed to have impacted up to 18,000 customers who had downloaded the malicious software update, which cybersecurity reporter Joseph Menn noted includes various US government and enterprise networks. However, updated figures from SolarWinds later estimate that fewer than 100 customers were actually compromised. A SolarWinds software was attacked again in 2021 by a Chinese hacker group with the presumed goal of accessing information connected to the US defense industry.

Update July 13th 9.30AM ET: Added more recent estimates and details about the number of SolarWinds customers compromised via the malicious update in 2020.