The move is enshrined in a new piece of legislation, the Cyber Solidarity Act, that was agreed overnight by negotiators from EU member states and the European Parliament. 

The law, which needs a final sign-off from the parliament and the European Council, “will leverage state-of-the-art tools and infrastructures, such as artificial intelligence and advanced data analytics, to swiftly detect cyber threats and incidents,” a European Commission statement said.

It will do that through the set-up of a European Cybersecurity Alert System designed to give real-time information to authorities.

The initiative comes as EU countries face rising threats from cyber sabotage, with infrastructure increasingly linked online and AI potentially allowing bad actors to better exploit weaknesses.

“It comes at a crucial time for EU cybersecurity, as the cyber threat landscape in the EU continues to be impacted by geopolitical events,” the statement said.

A Cybersecurity Emergency Mechanism would also be established under the law to oversee preparedness in health, energy and other critical sectors. 

It would be able to tap “trusted providers” in an EU Cybersecurity Reserve to help EU institutions or countries — or even outside nations associated with the bloc — counter large-scale attacks.

To that end, the EU negotiators agreed an update to an existing Cybersecurity Act allowing the adoption of European certification schemes such providers could qualify for.

“The Cyber Solidarity Act is a crucial step to establish a European cyber shield,” said EU internal market commissioner Thierry Breton.

The enhanced cooperation it will bring will contribute to “the security of our citizens,” he said.

The post EU looks to AI to battle cyber threats appeared first on Digital Journal.

LockBit and its affiliates have targeted governments, major companies, schools and hospitals, causing billions of dollars of damage and extracting tens of millions in ransoms from victims.

Britain’s National Crime Agency (NCA), working with the Federal Bureau of Investigation, Europol and agencies from nine other countries in Operation Cronos, said it had infiltrated LockBit’s network and taken control of its services.

“We have hacked the hackers, we have taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems,” NCA director general Graeme Biggar told reporters in London.

LockBit’s website — selling services that allow people to organise cyber attacks and hold data until a ransom is paid appears — was taken over on Monday evening.

A message appeared on the site stating that it was “now under control of law enforcement”.

“As of today LockBit is effectively redundant, LockBit has been locked out,” Biggar said.

A message on LockBit’s site said law envorcement agencies had taken it over – Copyright AFP/File Charly TRIBALLEAU

The US Justice Department (DOJ) said the agencies had seized control of “numerous public-facing websites used by LockBit to connect to the organization’s infrastructure” and taken control of servers used by LockBit administrators.

The NCA added that it had obtained more than 1,000 decryption keys and will be contacting UK-based victims in the coming days and weeks to offer support and help them recover encrypted data.

Biggar said the network had been behind 25 percent of all cyber attacks in the past year.

LockBit has targeted over 2,000 victims and received more than $120 million in ransom payments since it formed four years ago, according to the DOJ.

Those targeted have included Britain’s Royal Mail, US aircraft manufacturer Boeing, and a Canadian children’s hospital.

In January 2023, US law enforcers shut down the Hive ransomware operation which extorted some $100 million from more than 1,500 victims worldwide.

Since then, LockBit has been seen as the biggest current threat.

– Dark Web –

Hive and LockBit are part of what cybersecurity experts call a “ransomware as a service” style, or RaaS — a business that leases its software and methods to others to use in extorting money.

Ariel Ropek, director of cyber threat intelligence at cybersecurity firm Avertium, told AFP last year that this structure makes it possible for criminals with minimal computer fluency to get into ransomware by paying others for their expertise.

On the so-called dark web, providers of ransomware services pitch their products openly.

At one end are the initial access brokers, who specialise in breaking into corporate or institutional computer systems.

They then sell that access to the hacker, or ransomware operator.

But the operator depends on RaaS developers like Hive or LockBit, which have the programming skills to create the malware needed to carry out the operation.

Typically, their programmes — once inserted by the ransomware operator into a target’s IT systems — are manipulated to freeze, via encryption, the target’s files and data.

RaaS developers offer a full service to the operators, for a large share of the ransom paid out, said Ropek.

When the ransomware is planted and activated, the target receives a message telling them how much to pay to get their data unencrypted.

That ransom can run from thousands to millions of dollars.

On Tuesday, the US unsealed an indictment against two Russian nationals, bringing to five the number of Russians it has charged in connection with LockBit.

In a separate notice, the US Treasury Department said it is imposing sanctions on the pair, affiliates of LockBit, who “actively engaged” in ransomware attacks.

Biggar said a “large concentration” of the cyber criminals are in Russia and are Russian-speaking, but law enforcement agencies have not seen any direct support for LockBit from the Russian state.

“There is clearly some tolerance of cyber criminality within Russia,” he added.

The post Global operation smashes ‘most harmful cyber crime group’ appeared first on Digital Journal.

LockBit and its affiliates caused billions of dollars in damage and extracted tens of millions in ransom from their victims. Their targets have included banks, mail services and even a children’s hospital.

How does LockBit operate?

Rather than conduct an entire criminal operation itself, LockBit developed the malicious software — “ransomware” — that enables attackers to lock victims out of their computers and networks.

Victims were then told to pay ransom in cryptocurrency in exchange for regaining access to their data. Those who did not pay risked having their data dumped on the dark web.

The “LockBit” ransomware was first observed in 2020, and made money through up-front payments and subscription fees for the software, or from a cut of the ransom, according to the US Cybersecurity & Infrastructure Security Agency (CISA).

The model is known as “Ransomware as a Service”, or RaaS.

LockBit usually conducted itself as a professional enterprise, seeking feedback from customers — called “affiliates” — and rolling out ransomware improvements.

“LockBit operates like a business. They run — or ran — a tight ship, which has enabled them to outlast many other ransomware operations,” Brett Callow, a threat analyst at the cybersecurity firm Emsisoft, told AFP.

LockBit is believed to have operated out of multiple locations, and cybersecurity experts say its members were Russian speakers.

How lucrative is ransomware?

In 2023, extortions by ransomware groups exceeded $1 billion in cryptocurrency for the first time, according to data published this month by blockchain firm Chainalysis.

LockBit has targeted more than 2,000 victims worldwide, receiving more than $120 million in ransom, the US Department of Justice said Tuesday.

These potentially huge payouts have emboldened cybercriminals.

“Awash with money, the ransomware ecosystem surged in 2023 and continued to evolve its tactics,” the cybersecurity firm MalwareBytes said in a report published this month.

“The number of known attacks increased 68 percent, average ransom demands climbed precipitously, and the largest ransom demand of the year was a staggering $80 million.”

That demand came after a LockBit attack severely disrupted Britain’s post operator Royal Mail for weeks.

Who are LockBit’s victims?

LockBit ransomware has been used against a wide variety of targets, from small businesses and individuals to huge corporations.

It was used “for more than twice as many attacks as its nearest competitor in 2023”, according to MalwareBytes.

The group has gained notoriety and attention from law enforcement agencies after high-profile attacks such as the one on Royal Mail.

Last November, it was blamed for an attack on the US arm of the Industrial and Commercial Bank of China (ICBC) — one of the biggest financial institutions in the world — as well as US aerospace giant Boeing.

In 2022, a LockBit affiliate attacked the Hospital for Sick Children in Toronto, Canada, disrupting lab and imaging results. LockBit reportedly apologised for that attack.

“Although LockBit developers have created rules stipulating that their ransomware will not be used against critical infrastructure, it is clear that LockBit affiliates largely disregard these rules,” Stacey Cook, an analyst at the cybersecurity firm Dragos, wrote in a report published last year.

“LockBit developers do not appear to be overly concerned with holding their affiliates accountable.”

Who is fighting back, and how?

LockBit’s growing visibility and its affiliates’ increasing attacks meant law enforcement agencies ramped up their efforts to win this cat-and-mouse game.

An alliance of agencies from 10 nations, led by Britain’s National Crime Agency, on Tuesday said they had disrupted LockBit at “every level” in an effort codenamed “Operation Cronos”.

Europol said 34 servers in Europe, Australia, the United States and Britain were taken down and 200 Lockbit-linked cryptocurrency accounts were frozen.

The NCA said the action had compromised LockBit’s “entire criminal enterprise”. 

“This likely spells the end of LockBit as a brand. The operation has been compromised and other cybercriminals will not want to do business with them,” Emsisoft’s Callow told AFP.

But in recent years, cybersecurity experts have detected ransomware groups that suspended operations following law enforcement action only to re-emerge under different names.

“Our work does not stop here. LockBit may seek to rebuild their criminal enterprise,” NCA Director General Graeme Biggar said in a statement.

“However, we know who they are, and how they operate. We are tenacious and we will not stop in our efforts to target this group and anyone associated with them.”

The post ‘World’s most harmful’: What is the LockBit cybercrime gang? appeared first on Digital Journal.

Vladimir Dunaev, 40, who was extradited from South Korea to the United States in 2021, pleaded guilty in November to conspiracy to commit computer fraud and identity theft and conspiracy to commit wire fraud and bank fraud.

Dunaev, originally from Amur Oblast, was sentenced to five years and four months in prison by a judge in the midwestern state of Ohio on Wednesday, the Justice Department said in a statement.

Dunaev was among nine Russians, some of whom are alleged to have links to Russian intelligence services, who were indicted in the United States for involvement in Trickbot, which was taken down in 2022.

According to the Justice Department, Dunaev provided “specialized services and technical abilities in furtherance of the Trickbot scheme.”

“Dunaev developed malicious ransomware and deployed it to attack American hospitals, schools, and businesses,” US Attorney Rebecca Lutzko said. 

“He and his co-defendants caused immeasurable disruption and financial damage, maliciously infecting millions of computers worldwide.”

According to the indictments, the Trickbot group deployed malware and an associated ransomware program called Conti to attack hundreds of targets across the United States and in more than 30 other countries since 2016.

The malware was also used to steal bank account logins and passwords from victims’ computers in order to drain money from the accounts.

According to Britain’s National Crime Agency, the operation reaped at least $180 million worldwide.

The group particularly targeted hospitals and healthcare services during the 2020-2021 coronavirus pandemic, authorities said.

They would invade a computer system and encrypt all the data, demanding hundreds of thousands or even millions of dollars, paid in cryptocurrency, to free up the systems.

In one attack, the group used ransomware against three Minnesota medical facilities, disrupting their computer networks and telephones and causing a diversion of ambulances, US officials said.

In July 2020, an attack hit a local government in a Tennessee town, locking down local emergency medical services and the police department.

A May 2021 virtual incursion against a California hospital network, Scripps Health, locked up the computers of some 24 acute-care and outpatient facilities.

Another Trickbot member, Alla Witte, a Latvian national, pleaded guilty to conspiracy to commit computer fraud in June after being extradited from Suriname, where she helped write code for Trickbot and laundered proceeds from the ransomware.

Witte was sentenced to two years and eight months in prison.

The post Russian sentenced to five years in prison for Trickbot malware appeared first on Digital Journal.

China claims self-ruled Taiwan as its territory, and the island’s security planners run simulated worst-case scenarios constantly to prepare for the day Beijing decides to try and take over.

If China does invade, Taiwanese officials and cybersecurity experts say it will not limit its assaults to security forces and defence infrastructure, but effectively disconnect the island from the world.

Taiwan is facing a persistent threat from stealthy attackers who gain access to computer networks to “sit and wait within the victim’s infrastructure”, said Crystal Tu, a cybersecurity researcher at Taiwan’s Institute of National Defense and Security Research.

They can be highly active during a time of conflict, Tu told AFP, such as a “cyber operation aimed at the disruption of critical infrastructure — including telecommunications, energy and finance sectors”.

Cyberattacks against Taiwan have ramped up dramatically in the year leading up to the presidential election on Saturday, which China has described as a choice between war and peace for the island’s 23 million people.

Taiwanese authorities have said government agencies face an estimated five million cyberattacks a day.

And the cybersecurity firm Fortinet reported an 80 percent increase in cyber attacks in the first half of 2023 — ranking Taiwan number one in Asia Pacific.

“The cyber operation toward Taiwan never really stops,” said Tu.

Some tactics used against Taiwanese infrastructure have been identified as techniques used by Chinese state-sponsored groups.

Last year, Microsoft flagged the threat from a group named Flax Typhoon that operates out of China and targets Taiwan.

The US tech giant said Flax Typhoon “intends to perform espionage and maintain access” to various Taiwanese organisations for as long as possible.

– Semiconductor hub –

Cyberattackers have not only targeted Taiwan’s government and defence organisations, but also hit its semiconductor industry.

Taiwanese companies are crucial to the supply of chips, the lifeblood of the global economy.

Such is their importance that one former US official said last year that the United States would rather destroy this semiconductor infrastructure than let it fall to invading Chinese forces.

Last year, the Taiwan Semiconductor Manufacturing Company (TSMC), which controls more than half of the world’s chip output, reported a data breach at one of its suppliers.

“Taiwan is an important target because it is at the top of the critical high-tech supply chain,” said Fortinet’s Jim Liu.

“Geopolitics and (China-Taiwan) relations could inevitably increase cybersecurity incidents.”

China has increased diplomatic and military pressure on the island since 2016, when Tsai Ing-wen of the Democratic Progressive Party became Taiwan’s president.

She considers Taiwan an independent state and does not accept China’s claim on the island — views shared by Lai Ching-te, the DPP’s presidential candidate.

– Worst-case scenario –

China’s increasing aggression towards Taiwan, including simulated blockades of the island, has fuelled speculation among policymakers about Beijing’s potential timeline — and methods — for an invasion.

In the digital realm, Taiwanese officials say China could go beyond cyberattacks and effectively cut off the island from the rest of the world.

“Because Taiwan is an island, all communication with the outside world relies on undersea cables,” Taiwan’s deputy digital minister Huai-jen Lee told AFP in a recent interview.

“The worst-case scenario is all our undersea cables are cut off.”

To prepare for that, Taiwan is looking to the sky.

Deputy Digital Minister Lee told AFP that Taiwan is working with two foreign satellite service providers to collaborate with the island’s largest telecom company.

Satellite receivers will be placed in 700 spots across Taiwan “to test whether we can switch communication systems” during times of crisis, he said.

“The first thing… is to maintain the stability of the government’s command system and maintain the accuracy of the information provided” to civilians, he told AFP.

The post Taiwan prepares for cyber D-Day in China invasion scenarios appeared first on Digital Journal.

The group, identified by Microsoft as Storm-1152, developed sophisticated tools to defeat the US tech giant’s security features to set up fraudulent Outlook and Hotmail email accounts in bulk.

Who is in Storm-1152?

Storm-1152 was first detected in 2021. Arkose Labs, the cybersecurity firm that worked with Microsoft against the group, tracked it to Vietnam.

The leaders of the group are three Vietnam-based individuals, Duong Dinh Tu, Linh Van Nguyen and Tai Van Nguyen, Microsoft said in a statement on Wednesday. It is not clear if there are any other members.

AFP has asked the three for a response on email addresses listed in Microsoft’s complaint against them in a US federal court last week.

AFP has also contacted Vietnamese authorities for comment.

How did they make millions of accounts so rapidly?

Storm-1152 developed automated software — or “bots” — to create fake accounts.

These bots defeated Microsoft’s safeguards, such as the CAPTCHA puzzles users have to solve to prove they are human, the tech giant said in its court filing.

Storm-1152 is “the number one seller and creator of fraudulent Microsoft accounts”, creating around 750 million to date, the company said Wednesday.

Microsoft’s court filing included a screenshot of a Storm-1152 website that boasts the use of artificial intelligence against CAPTCHA.

The group created accounts “at a scale so large, fast, and efficient that it could have only been carried out through automated, machine-learning technology”, Patrice Boffa, chief customer officer at Arkose Labs, said in a statement.

Who needs so many fake email accounts?

Storm-1152 pursued a model called “cybercrime-as-a-service” or CaaS, acting as a provider to other criminal groups, Microsoft and Arkose said.

With tech companies improving their detection and deletion of fake accounts, cyber attackers need huge amounts to carry out their operations.

“Instead of spending time trying to create thousands of fraudulent accounts, cybercriminals can simply purchase them from Storm-1152 and other groups,” Microsoft’s Amy Hogan-Burney said in a blog post.

Storm-1152 allegedly made millions of dollars from the operation.

What did Storm-1152’s customers do with fake accounts?

The group’s customers have used fake email accounts for a variety of crimes, according to Microsoft and Arkose Labs.

These include phishing attacks to either steal information or insert malware on devices.

Its customers have also used these accounts to install ransomware and demand payment from victims, according to Microsoft.

The highest-profile customer named in Microsoft’s court filing is a group known as Octo Tempest, which has been linked to a wave of cybercrimes in recent years.

Octo Tempest recently launched ransomware attacks against Microsoft customers that “inflicted hundreds of millions of dollars of damage”, the company said in its court filing, without naming the victims.

Google and X, formerly known as Twitter, have also been hit by Storm-1152 activities, Microsoft said in the filing.

Was it hard to find Storm-1152?

Unlike many cybercriminals that offer such services on the so-called dark web, hidden away from general users, Storm-1152’s websites were on the open web.

It offered its services on at least two websites, according to Microsoft, and even had step-by-step user guides.

Duong Dinh Tu, one of the defendants, also had a YouTube channel with a video demonstration, and the group would edit the code for their anti-CAPTCHA software on GitHub — a Microsoft-owned internet depository for software.

Microsoft said it also hired cybercrime experts to make undercover purchases of accounts and CAPTCHA-beating tools from Storm-1152 websites.

A US court allowed Microsoft to take control of the group’s sites in response to the company’s complaint last week.

The sites now say: “This Domain has been seized by Microsoft.”

The post What is Storm-1152, alleged top creator of fake Microsoft accounts? appeared first on Digital Journal.

Vladimir Dunaev, 40, was extradited from South Korea to the United States in 2021 to face charges of conspiracy to commit computer fraud and identity theft and conspiracy to commit wire fraud and bank fraud.

Dunaev pleaded guilty to both charges in an Ohio court on Thursday, the Justice Department said. He will be sentenced on March 20 and faces a maximum penalty of 35 years in prison on both counts.

Dunaev was among nine Russians, some of whom are alleged to have links to Russian intelligence services, who were indicted in the United States for involvement in Trickbot, which was taken down in 2022.

According to the Justice Department, Dunaev provided “specialized services and technical abilities in furtherance of the Trickbot scheme.”

“Dunaev and his codefendants hid behind their keyboards, first to create Trickbot, then using it to infect millions of computers worldwide -— including those used by hospitals, schools, and businesses -— invading privacy and causing untold disruption and financial damage,” US Attorney Rebecca Lutzko said in a statement.

According to the indictments, the Trickbot group deployed malware and an associated ransomware program called Conti to attack hundreds of targets across nearly all of the United States and in more than 30 other countries since 2016.

The malware was also used to steal bank account logins and passwords from victims’ computers in order to drain money from the accounts.

According to Britain’s National Crime Agency, the operation reaped at least $180 million worldwide.

The group particularly targeted hospitals and healthcare services during the 2020-2021 coronavirus pandemic, authorities said.

They would invade a computer system and encrypt all the data, demanding hundreds of thousands or even millions of dollars, paid in cryptocurrency, to free up the systems.

In one attack, the group used ransomware against three Minnesota medical facilities, disrupting their computer networks and telephones and causing a diversion of ambulances, US officials said.

In July 2020, an attack hit a local government in a Tennessee town, locking down local emergency medical services and the police department.

A May 2021 virtual incursion against a California hospital network, Scripps Health, locked up the computers of some 24 acute-care and outpatient facilities.

Another Trickbot member, Alla Witte, a Latvian national, pleaded guilty to conspiracy to commit computer fraud in Ohio in June after being extradited from Suriname, where she helped write code for Trickbot and laundered proceeds from the ransomware.

Witte was sentenced to two years and eight months in prison.

The post Russian pleads guilty in US to role in Trickbot malware scheme appeared first on Digital Journal.

Taiwan has long accused China — which claims the self-ruled island as its territory — of espionage through cyberattacks on its government networks.

Microsoft said Thursday that Flax Typhoon, “a nation-state actor based out of China”, has since mid-2021 mainly “targeted government agencies and education, critical manufacturing, and information technology organizations in Taiwan”.

The activities observed suggest “the threat actor intends to perform espionage and maintain access to organizations across a broad range of industries for as long as possible,” the US tech giant said in a blog post.

“However, Microsoft has not observed Flax Typhoon act on final objectives in this campaign.”

China has long vowed to take Taiwan — by force if necessary — and has stepped up military and political pressure on the island.

In addition to government agencies, Microsoft said Flax Typhoon has also targeted “critical manufacturing and information technology organizations in Taiwan”.

The firm said outside of Taiwan, there were some Flax Typhoon “victims” in Southeast Asia, North America and Africa.

Last month, Microsoft said China-based hackers seeking intelligence had breached the email accounts of a number of US government agencies.

That hacking group — which Microsoft called Storm-0558 — primarily focuses on “espionage, data theft, and credential access”.

The company also warned this year that state-sponsored Chinese hackers had infiltrated critical US infrastructure networks, saying this was likely aimed at hampering the United States during a conflict.

Microsoft made particular mention of Guam, a US Pacific territory with a vital military base, as a target.

Authorities in Australia, Canada, New Zealand and Britain have also warned that Chinese hacking is likely taking place globally, affecting an extensive range of infrastructure.

The post China-based ‘Flax Typhoon’ hackers targeting Taiwan govt: Microsoft appeared first on Digital Journal.

“The threat actor Microsoft links to this incident is an adversary based in China that Microsoft calls Storm-0558,” the company said in a blog post late Tuesday.

Microsoft said Storm-0558 gained access to email accounts at approximately 25 organizations including government agencies.

Microsoft did not identify the targets but a US State Department spokesperson said the department had “detected anomalous activity” and had taken “immediate steps to secure our systems.”

“As a matter of cybersecurity policy, we do not discuss details of our response and the incident remains under investigation,” the spokesperson said.

According to The Washington Post, the breached email accounts were unclassified and “Pentagon, intelligence community and military email accounts did not appear to be affected.”

CNN, citing sources familiar with the investigation, said the Chinese hackers targeted a small number of federal agencies and the email accounts of specific officials at each agency.

In the blog post, Charlie Bell, a Microsoft executive vice president, said “we assess this adversary is focused on espionage, such as gaining access to email systems for intelligence collection.

“This type of espionage-motivated adversary seeks to abuse credentials and gain access to data residing in sensitive systems,” Bell said.

US National Security Adviser Jake Sullivan addressed the hack in an appearance on Wednesday on ABC’s Good Morning America, and said it had been detected “fairly rapidly.”

“We were able to prevent further breaches,” Sullivan said.

“The matter is still being investigated, so I have to leave it there because we’re gathering further information in consultation with Microsoft and we will continue to apprise the public as we learn more,” Sullivan said.

– Espionage and data theft –

Microsoft said Storm-0558 “primarily targets government agencies in Western Europe and focuses on espionage, data theft, and credential access.”

The Redmond, Washington-based company said it had launched an investigation into “anomalous mail activity” on June 16.

“Over the next few weeks, our investigation revealed that beginning on May 15, 2023, Storm-0558 gained access to email accounts affecting approximately 25 organizations including government agencies as well as related consumer accounts.

“They did this by using forged authentication tokens to access user email using an acquired Microsoft account consumer signing key,” the company said. “Microsoft has completed mitigation of this attack for all customers.”

US Senator Mark Warner, chairman of the Senate Select Committee on Intelligence, said the panel is “closely monitoring what appears to be a significant cybersecurity breach by Chinese intelligence.”

“It’s clear that the PRC is steadily improving its cyber collection capabilities directed against the US and our allies,” Warner said in a statement.

Disclosure of the Chinese hacking comes on the heels of trips to China by US Secretary of State Antony Blinken and Treasury Secretary Janet Yellen and the shooting down by the United States of a Chinese surveillance balloon.

In May, Microsoft said state-sponsored Chinese hackers called “Volt Typhoon” had infiltrated critical US infrastructure networks.

Microsoft highlighted Guam, a US territory in the Pacific Ocean with a vital military outpost, as one of the targets in that attack, but said “malicious” activity had also been detected elsewhere in the United States.

“Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises,” the company said at the time.

Microsoft’s May statement coincided with an advisory released by US, Australian, Canadian, New Zealand and British authorities warning that the hacking was likely occurring globally.

China denied the allegations, describing the Microsoft report as “extremely unprofessional” and “scissors-and-paste work.”

“It is clear that this is a collective disinformation campaign of the Five Eyes coalition countries, initiated by the US for its geopolitical purposes,” foreign ministry spokeswoman Mao Ning said, referring to the security alliance of the United States and its Western allies that wrote the report.

The post Chinese hackers breached US govt email accounts: Microsoft appeared first on Digital Journal.

“The threat actor Microsoft links to this incident is an adversary based in China that Microsoft calls Storm-0558,” the company said in a blog post late Tuesday.

Microsoft said Storm-0558 gained access to email accounts at approximately 25 organizations including government agencies.

Microsoft did not identify any of the targets but a US State Department spokesperson said the department had “detected anomalous activity” and had taken “immediate steps to secure our systems.”

“As a matter of cybersecurity policy, we do not discuss details of our response and the incident remains under investigation,” the spokesperson said.

According to The Washington Post, the breached email accounts were unclassified and “Pentagon, intelligence community and military email accounts did not appear to be affected.”

In the blog post, Charlie Bell, a Microsoft executive vice president, said “we assess this adversary is focused on espionage, such as gaining access to email systems for intelligence collection.

“This type of espionage-motivated adversary seeks to abuse credentials and gain access to data residing in sensitive systems,” Bell said.

US National Security Adviser Jake Sullivan addressed the hack in an appearance on Wednesday on ABC’s Good Morning America, and said it had been detected “fairly rapidly.”

“We were able to prevent further breaches,” Sullivan said. 

“The matter is still being investigated, so I have to leave it there because we’re gathering further information in consultation with Microsoft and we will continue to apprise the public as we learn more,” Sullivan said.

Microsoft said Storm-0558 “primarily targets government agencies in Western Europe and focuses on espionage, data theft, and credential access.”

The Redmond, Washington-based company said it had launched an investigation into “anomalous mail activity” on June 16.

“Over the next few weeks, our investigation revealed that beginning on May 15, 2023, Storm-0558 gained access to email accounts affecting approximately 25 organizations including government agencies as well as related consumer accounts,” it said.

“They did this by using forged authentication tokens to access user email using an acquired Microsoft account consumer signing key,” the company said. “Microsoft has completed mitigation of this attack for all customers.”

US Senator Mark Warner, chairman of the Senate Select Committee on Intelligence, said the panel is “closely monitoring what appears to be a significant cybersecurity breach by Chinese intelligence.”

“It’s clear that the PRC is steadily improving its cyber collection capabilities directed against the US and our allies,” Warner said in a statement.

The post Chinese hackers breached US govt email accounts: Microsoft appeared first on Digital Journal.