How Chinese Spies Hacked U.S. State Department Emails--Threat Modeling for APTs and APTaaS

Created in July 12, 2024

2024   ·   breach   opinion   china   storm0558   antiquetyphoon   apt   ·   Opinion

Note: I refer to a threat group as “Storm-0558” throughout this article, but since the time of writing Microsoft has begun tracking this group under the name “Antique Typhoon”

How Chinese Spies Hacked U.S. State Department Emails

An intrusion by an APT (Advanced Persistent Threat) that I recently researched for a class stood out from other APT attacks I have heard of. It caught my eye due to its complexity and the ingenuity it must have taken to pull off successfully. The attack was discovered in the summer of 2023, first by the US State Department, and then more thoroughly investigated by Microsoft. I wrote another blog post about this attack and the U.S. laws that were broken by both the threat actors and by Microsoft. Microsoft was tipped off that Outlook email accounts belonging to US State Department employees and contractors were being accessed by unknown parties. Microsoft investigated and found that the patterns of activity displayed by the group were consistent with an APT conducting espionage from China. This group’s activities were distinct from previously known Chinese government APTs, so Microsoft classified the group as a developing APT and named it Storm-0558.

Storm-0558’s patterns of activity fit neatly with many of those outlined in Hejase et al.’s 2020 review of APTs. Hejase et al. suggest that APTs may be able to successfully target and penetrate even well-resourced and well-defended organizations (Hejase et al., 2020). Indeed, Storm-0558 penetrated Microsoft’s flagship email product Outlook as well as Microsoft’s corporate network. Furthermore, the attack was aimed at a razor thin set of targets–the US State Department and companies closely related to it. The attackers were highly skilled, remaining undetected in Microsoft’s systems for at least a month but possibly as long as a year or more. They achieved this by abusing an unknown flaw–a 0-day–but not a standard one. It required a special cryptographic key that had to be stolen from Microsoft. Not only that, but Microsoft didn’t even know they, themselves, had the key or that it could be stolen. It was not ever supposed to be stored on their servers, but was accidentally saved (because of a bug) as part of a crash-dump after the crash of a system that was used to generate MSA signing keys. The attackers had to know that they needed the key, know how to look for the key, compromise a Microsoft employee account, know the key would be in the crash-dump, find the crash-dump, exfiltrate it, find the key, and then use it as part of a 0-day exploit for the attack, all without detection. This is all to say that this attack took tremendous skill, time, and dedication to pull off and aligns with Hejase et al.’s descriptions of APT attacks (Hejase et al., 2020).

Using Threat Modeling To Defend Against APTs

A single section of a blog post is much too small to cover how to defend against APTs but I will touch on some important points that I came across during my research. Given the resources and manpower at their disposal, defense against APTs can be extremely challenging. There will never be a perfect defense strategy. In their article on using Game-Theory to identify defense strategies for use against APTs, Khalid et al. echo this sentiment, writing that in the future we will continue to see attackers’ behavior evolve to avoid detection and bypass security measures (Khalid et al., 2023). This may seem like an obvious statement but it is especially poignant when it comes to APTs. APTs, especially large government APTs, are often on the cutting-edge of technological progress. In some cases, like the case of Microsoft and Storm-0558, they will penetrate even very well-resourced organizations.

To defend against attackers who use novel and advanced tactics, we must try to anticipate these novel tactics before they are used by thinking about how an advanced attacker might try to breach our defenses. This is where Threat Modeling can help. Tatam et al. highlight eight key aspects of a threat modeling exercise (Tatam et al., 2021):

1. Use correlated and actionable threat intelligence from multiple internal and external sources. 2. Identify organizational specific threat agents, their motives and capability. 3. Identify critical assets and controls. 4. Find all relevant threats whose likelihood and business impact level are above the organization’s risk appetite. 5. Include as many stakeholders as possible from all areas and levels of an organization. 6. Identify boundaries of environments within the scope of the system. 7. Identify Authentication and authorisation aspects. 8. Choose a consistent approach and methodology that best fits requirements, maturity level, audience and environment.

Applying these principles can help identify possible vectors of attack, likely targets for attack, and so on. In the case of Microsoft and Storm-0558, while I’m sure Microsoft applies many of these principles, Microsoft failed to model a threat like Storm-0558. They failed to identify the crash-dump as a critical asset (since it contained critical information). They failed to detect that the crash-dump contained a cryptographic key, leading to the failure to protect it. Their failure to detect and protect the key led to the eventual breach by Storm-0558. If their threat modeling had included thorough searches for MSA keys in places they shouldn’t be, it’s possible they would have been able to prevent the breach. This example illustrates two realities: That threat modeling, if applied properly, can help increase security at any organization, even very large ones. And that APTs may still find methods of exploitation that have not occurred to defenders, even when threat modeling has been done well.

Inexperienced Nation-States Playing Catch-Up

APT status, at least at the highest tier, is generally reserved for governments or other organizations with a long history of signals intelligence like the U.S., China, India, U.K., etc. These countries have been pouring resources into cyber espionage for years and have used that time and experience to develop many advanced capabilities. While money can be a great catalyst for the development of espionage capabilities, the key components are really time and experience. Organizations like the NSA have spent decades trying, succeeding, failing, and iterating their technologies. There is simply no way for another country to buy that experience. In the past, this has acted as a barrier to entry for countries trying to enter the playing field. However, that paradigm is unquestionably shifting.

Increasingly since the mid 2010s, nation-states have been able to buy their way to higher and higher tiers of the APT class. It all started with a U.S. company called Zorodium, founded in 2015. Zorodium acted as a broker for exploits, buying them from hackers and selling them to governments, their contractors, or other private companies. Since 2015, many other such brokers have popped up, funneling exploits from hackers around the world into the hands of the highest bidders. This phenomenon also gave rise to a similar, but distinct business model: APTaaS or APT as a Service. These companies offer a full service hacking suite to governments in exchange for a heft payout. Israel’s NSO Group is perhaps the most famous (and infamous) of these organizations.

Companies like NSO develop advanced hacking tools and frameworks and then sell them to governments or other organizations that do not have the experience or ability to develop such tools on their own. It used to take years or decades to stand-up an organization competent enough to pose a significant threat as a nation-state, but thanks to APTaaS, the timeline is now much shorter. What this means is that there has been a recent proliferation of advanced cyber-weapons to many governments across the world, vastly expanding the breadth of the potential threat posed by APTs as a whole. The United States and China, among many others, have long been guilty of (ab)using their cyber-might for their own gain, often at the expense of others. With advanced cyber weapons in the hands of more nation states than ever before, these threats are multiplied many fold. While it used to be rare to be the target of an APT, it is becoming more and more common. The idea “it won’t happen to me,” which was outdated as soon as it was uttered, is especially egregious in the age of APTaaS. Today all organizations, and really all privacy-minded individuals, must assume that they could be the victim of a long-term, targeted, and advanced attack.

References

2023

  1. Khalid et al. | 2023
    Recent Developments in Game-Theory Approaches for the Detection and Defense against Advanced Persistent Threats (APTs): A Systematic Review
    Mohd Nor Akmal Khalid, Amjed Ahmed Al-Kadhimi, and Manmeet Mahinderjit Singh
    2023
    Number: 6 Publisher: Multidisciplinary Digital Publishing Institute
    DOI Bib

2021

  1. Tatam et al. | 2021
    A review of threat modelling approaches for APT-style attacks
    Matt Tatam, Bharanidharan Shanmugam, Sami Azam, and 1 more author
    2021
    DOI Bib

2020

  1. Hejase et al. | 2020
    Advanced Persistent Threats (APT): An Awareness Review
    Hussin Jose Hejase, Hasan Kazan, and Imad Moukadem
    2020
    DOI Bib


Enjoy Reading This Article?

Here are some more articles you might like to read next:

  • HTB Write-Up | Medium Sherlock | Mellitus
  • HTB Write-Up | Medium Sherlock | Nuts
  • The Legal Implications of Antique Typhoon's Intrusion Into Microsoft & The U.S. State Department
  • Why All The Cybersecurity Laws? Why Now?