A China-based threat actor known as Storm-0558 obtained a sensitive cryptographic key from Microsoft [1], enabling them to conduct surveillance on the US State and Commerce Departments, as well as other US government agencies [2]. This breach occurred due to a crash in Microsoft’s consumer signing system [1], resulting in the exposure of the key.


In April 2021 [1] [2], Microsoft experienced a crash in their consumer signing system, leading to a crash dump that contained the cryptographic key. Unfortunately, due to a race condition [1], the key was not concealed in the dump and was inadvertently moved to a debugging environment accessible to the hackers [1]. Microsoft’s limited visibility and log retention policies made it challenging to determine how the key was exfiltrated [1]. Furthermore, an incorrect validation process allowed the compromised key to be used to access the email accounts of high-level US government officials, including the Secretary of Commerce [1]. Microsoft has taken remedial actions to address the issues and has implemented measures to prevent similar incidents.


The Department of Homeland Security’s Cyber Safety Review Board will conduct a thorough review of this breach to enhance identity management and authentication in the cloud. This incident highlights the importance of robust security measures and the need for continuous monitoring and improvement. By addressing vulnerabilities and strengthening security protocols, future breaches can be mitigated, ensuring the protection of sensitive government information.


[1] https://www.scmagazine.com/news/multiple-microsoft-failings-enabled-email-hacks-by-chinese-apt-group
[2] https://www.infosecurity-magazine.com/news/chinese-hacker-steals-microsoft/