Cyber Incident Victim: United States Department of Commerce

In May 2023, a state-linked Chinese hacking group, which Microsoft dubbed Storm-0558, began a campaign to secretly access email accounts. The group employed a technique involving the forgery of digital authentication tokens to gain unauthorized access to webmail accounts running on Microsoft's Outlook service. This activity targeted approximately 25 organizations, with a primary focus on entities in Western Europe. Among these organizations were at least two United States government agencies. The U.S. State Department and the U.S. Commerce Department were confirmed to be among the affected agencies. The email accounts of Department of State officials were compromised in this incident. Furthermore, the email account of Secretary of Commerce Gina Raimondo was also breached, making her the only known Cabinet-level official to have their account accessed by the hackers.

The United States government detected the breach of these federal government accounts fairly rapidly. Upon detection, officials immediately contacted Microsoft to identify the source of the intrusion and the specific vulnerability within the company's cloud service. The State Department reported that it had detected anomalous activity and took immediate steps to secure its systems in response. Similarly, the Commerce Department stated it took immediate action upon being notified of the compromise by Microsoft. The White House National Security Council clarified that this intrusion affected unclassified systems. A senior U.S. government official characterized the campaign as much narrower in scope than prior major incidents, explicitly stating it should not be compared to the sweeping SolarWinds compromise discovered in 2020. The U.S. government managed to prevent further breaches following the initial detection and response.

Microsoft, as part of its response to the observed nation-state actor activity, contacted all targeted or compromised organizations directly via their tenant administrators. The company provided these organizations with important information to assist them in investigating and responding to the incident. Microsoft publicly attributed the hacking campaign to the group Storm-0558 but did not initially disclose a full list of the affected organizations or governments. The White House National Security Advisor confirmed that the U.S. government had successfully prevented additional breaches after its initial detection.

In a separate but temporally proximate series of events, the U.S. Commerce Department was also impacted by disruptive cyber activity in the form of distributed denial-of-service (DDoS) attacks. These attacks, which occurred around June 2023, were claimed by the threat actor known as Anonymous Sudan. This group, which Microsoft tracks as Storm-1359, claimed responsibility for taking down the U.S. Commerce Department's website through a DDoS attack. The group also claimed attacks on other U.S. organizations, including the website of the U.S. Treasury Department's Electronic Federal Tax Payment System (EFTPS.gov), which was confirmed to be offline during the attack. Anonymous Sudan additionally claimed DDoS attacks against Microsoft services, causing outages impacting Outlook, OneDrive, and Azure web portals, and against other large global organizations such as Stripe, Scandinavian Airlines, Tinder, and Lyft, as well as various U.S. hospitals.

In response to these widespread DDoS attacks, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning on June 30, 2023. CISA reported it was aware of open-source reporting of targeted DoS and DDoS attacks against multiple organizations across multiple sectors. The agency advised all U.S. organizations to take proactive measures to ensure their security teams were prepared to thwart or mitigate the effects of such attacks. Recommended measures included having network administrators ready to quickly apply firewall rules or redirect incoming malicious traffic through DoS protection services. CISA also suggested organizations could enroll in dedicated DDoS protection services capable of rerouting malicious traffic and consult with their internet service providers for guidance. For federal civilian executive branch (FCEB) agencies, CISA, in collaboration with the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC), provided additional recommendations to utilize General Services Administration (GSA) tools like the Managed Security Service (MSS) and the Managed Trusted Internet Protocol Service (MTIPS) to counter DDoS effects and restore impacted systems.

The incident involving the breach of email accounts at the Commerce and State Departments was formally attributed to Chinese state-linked actors by both Microsoft and U.S. officials. The Chinese government, through its embassy in London, denied the allegations, calling them disinformation and labeling the U.S. government as the world's biggest hacking empire. Private sector cybersecurity experts observed that the newly discovered hacking activity demonstrated an improvement in Chinese cyber espionage capabilities, noting a significant evolution from older, less sophisticated tactics. The direct impacts of the email breach included the compromise of official communications within the affected agencies. The consequences of the DDoS attacks included temporary inaccessibility of web services, costing organizations time and money, and potentially imposing reputational costs while their resources were unavailable. The U.S. government's response involved a coordinated effort between agencies and the private sector vendor, Microsoft, to understand the vulnerability, contain the breach, and secure systems against further unauthorized access.