top of page

China-Based Hacking Group Breaches Government Email Accounts, Microsoft Reports

Microsoft Corporation revealed that a China-based hacking group, known as Storm-0558, successfully infiltrated email accounts associated with government agencies in Western Europe. This group, specializing in espionage and data theft, managed to gain unauthorized access to approximately 25 organizations, including government agencies, as well as individual accounts linked to these entities. Alarmingly, the hackers were able to maintain their presence undetected for nearly a month before Microsoft received reports from concerned customers regarding abnormal mail activity.

According to Microsoft's executive vice president of security, Charlie Bell, it is believed that Storm-0558 primarily focuses on espionage activities, particularly the acquisition of sensitive intelligence through unauthorized access to email systems. In response to this breach, Microsoft promptly addressed the security incident and took appropriate measures to mitigate the damage. The affected customers have been notified of the situation.

The hacking group executed this breach by employing a tactic known as authentication token forgery. Authentication tokens serve as a means to verify a user's identity and are necessary for accessing email accounts securely. Storm-0558 was able to manipulate these tokens, effectively bypassing the authentication process and gaining illicit entry into the targeted email accounts. As the threat landscape continues to evolve, organizations must remain vigilant and implement effective strategies to detect and mitigate potential breaches. The breach serves as a reminder that government agencies and individuals alike must prioritize cybersecurity practices to protect against sophisticated hacking groups seeking unauthorized access to valuable data. We heard from cybersecurity experts from across the industry about what organizations should take away from the attack: Snehal Antani, CEO and Co-Founder of

"With everyone pointing fingers at Microsoft, there actually is a bigger concern. When thinking about credential stuffing, this attack is used to first gain access to credentials for one online account, and then use those same credentials to access other online accounts. Was that the motive?

In terms of password spraying, this attack is focused on reusing a username without knowing the password. Attackers then try commonly used passwords to log in to other systems. Maybe this was the motive? Either way, the key takeaway is that there is now a long tail of risk that exists for all victims of the compromise which could extend for quite a long period of time.” Dave Ratner, CEO, HYAS

"This is yet another example where having visibility into anomalous communication to command-and-control structures, aka adversary infrastructure, is a vital part of a defense-in-depth strategy and a key component of the overall security stack. If organizations haven't yet deployed Protective DNS across their infrastructure and environments, they should make plans to do so immediately." Shobhit Gautam, Solutions Architect, HackerOne

“Exploiting vulnerabilities in the supplier network has become a key tactic in the attacker’s playbook. The best way to identify complex vulnerability risk is to take an outsider’s mindset that looks at how an attacker might make use of a variety of weaknesses to chain together to have a far more powerful impact. Government has been quick on the update of harnessing human intelligence to secure their defenses. The US DoD, UK’s NCSC, and UK MoD are already working with ethical hackers, with the US DoD having fixed over 45,000 vulnerabilities as a result." ###


bottom of page