The Legal Implications of Antique Typhoon's Intrusion Into Microsoft & The U.S. State Department

Created in June 21, 2024

2024   ·   law   cyberlaw   opinion   china   storm0558   antiquetyphoon   apt   ·   Opinion

Disclaimer: While I discuss U.S. laws in this article, I am not a lawyer and anything I write about law (or anything else for that matter) should be taken as my opinion and speculation, not as a statement of legal fact. Certainly nothing I write should be taken as legal advice.

Note: I refer to a threat group as “Storm-0558” throughout this article, but since the time of writing Microsoft has begun tracking this group under the name “Antique Typhoon”

The attack and initial fallout

On July 11th, 2023, the Microsoft Security Response Center (MSRC) published a blog post announcing that they had mitigated an attack targeting Microsoft Cloud email accounts at 25 organizations across the world (MSRC, 2023). Specifically, the attackers had seemed quite interested in U.S. government activity, targeting U.S. government agencies and adjacent organizations. Among the accounts hacked were those of U.S. Commerce Secretary Gina Raimondo, Assistant Secretary of State for East Asia Daniel Kritenbrink, and U.S. Envoy to China Nicholas Burns (Freed et al., 2023).

Microsoft Threat Intelligence has said that the attacking group is based in China and assessed that its methods, OpSec, tradecraft, and objectives seem consistent with state-sponsored espionage (Intelligence, 2023). They have dubbed the group Storm-0558 and differentiated it from previously identified Chinese state-sponsored hacking groups like APT31, APT41, APT10, and Salt Typhoon. Storm-0558 gained access to accounts by forging authentication tokens and using them via the Outlook Web Access web application (MSRC, 2023). The precise details are a little murky even in Microsoft’s own posts about the attack, but the exploit used by the attackers required use of a Microsoft account (MSA) key that they had obtained by compromising a Microsoft employee’s account in a phishing campaign. The MSA key in question was never supposed to be saved by Microsoft but was accidentally included in a crash-dump log back in 2021 (MSRC, 2023). The stolen MSA key was then somehow accessed by the attackers and used to cryptographically sign Azure Active Directory authentication tokens that allowed access to enterprise email accounts. The attackers accessed select accounts for more than a month in 2023 and exfiltrated over 60,000 emails during that time. U.S. sources say that none of the emails contained classified or even sensitive information.

Update: If you’d like to know more about the actual attack, I have since written another post on the topic. I’d also highly recommend reading the detailed reports from MSRC, which you can find in my references.

As of June 2024, no official criminal proceedings have been brought as a result of this attack. Given the international nature of the attack and the fact that the attackers were probably working for Chinese intelligence, it is unlikely that any of the hackers will serve time or face consequences for this breach. However, these types of hurdles have not stopped the U.S. Department of Justice (DOJ) from issuing indictments against state-sponsored hackers in the past.

Which Laws Were Broken By Storm-0558?

It is obvious that it is illegal to hack into a large corporation and then leverage that access to read State Department employee’s emails, but it is less obvious exactly which laws make those actions illegal. To get an idea of which laws could be applied to the actions of threat actors in this case, I researched indictments issued for similar cases.

In one similar case, in 2017, the DOJ released indictments for four Russian nationals associated with the FSB (the domestic wing of Russian Intelligence) for allegedly hacking Yahoo email accounts (DOJ, 2017). The 2017 case differs in many ways from Storm-0558’s 2023 attack, but some of the charges in the indictment seem like they could be applied to the members of Storm-0558. For example, it seems likely that the members of Storm-0558 violated 18 USC §1030. Fraud and related activity in connection with computers which contains many specific criteria for violation, but in essence prohibits unauthorized access to any protected computers, including those containing information from any department of the United States (18 USC §1030, 1986). They also probably violated 18 USC §1028. Fraud and related activity in connection with identification documents, authentication features, and information (18 USC §1028, 1998), 18 USC §1028A. Aggravated identity theft (18 USC §1028A, 2004), and 18 USC §1029. Fraud and related activity in connection with access devices (18 USC §1029, 1984). The reasons that I believe they violated these laws are, respectively, because they forged authentication tokens to impersonate another person, they committed a felony while impersonating another person, and they created, possessed, and used “counterfeit” authentication tokens, i.e. access devices.

U.S. Senator Ron Wyden (Wyden, 2023) wrote a letter to Jen Easterly, Director of CISA, Lina Khan, Chairwoman of the FTC, and Merrick Garland, U.S. Attorney General asking them to investigate Microsoft in relation to the email breach. He specifically asks Garland to determine if Microsoft broke federal contract laws, Khan to investigate privacy laws, and points out that by being negligent in this case Microsoft may have broken a court order from 2002 regarding a different security incident. Wyden doesn’t specify laws that he thinks Microsoft has broken, but I think some contenders are The Federal Trade Commission Act (15 USC §41-58, 1914), The Children’s Online Privacy Protection Act (15 USC §6501-6505, 1998), and The Electronic Communications Privacy Act (18 USC §2510-2523, 1986).

To make matters worse for Microsoft, they weren’t even the ones who discovered the attack, instead they were notified by the U.S. State Department’s cybersecurity team (Goswami, 2023). Furthermore, Microsoft was charging a premium fee for access to the types of logs that allowed the State Department’s team to notice the attack. Customers who paid for the cloud email services, but not for the premium logging, had absolutely no way to know they were under attack. After looking through logs of one of the victim organizations that did not pay Microsoft for premium logs, Incident responder Steven Adair said in an interview “you couldn’t convince me anything in here is out of the ordinary and I would never suspect a breach and I’m looking for one” (Temple-Raston & Jarvis, 2023). All this is to say, Microsoft may be in some legal trouble after this incident. Between leaking the MSA key, not being able to detect the breach themselves, and charging a premium for access to the logs that contained evidence of the breach, they are already appearing pretty weak, at least in the court of public opinion

References

2023

  1. MSRC | 2023
    Microsoft mitigates China-based threat actor Storm-0558 targeting of customer email
    MSRC
    2023
    Bib
  2. Freed, Potkin, Geddie | 2023
    The Chinese groups accused of hacking the US and others
    Jamie Freed, Fanny Potkin, and John Geddie
    2023
    Bib
  3. MTI | 2023
    Analysis of Storm-0558 techniques for unauthorized email access
    Microsoft Threat Intelligence
    2023
    Bib
  4. MSRC | 2023
    Results of Major Technical Investigations for Storm-0558 Key Acquisition
    MSRC
    2023
    Bib
  5. Wyden | 2023
    Letter from US Senator Ron Wyden to Jen Easterly, Lina Khan, and Merrick Garland
    Ron Wyden
    2023
    Bib
  6. Goswami | 2023
    Microsoft responsible for China’s U.S. government email hack, Senator Wyden says
    Rohan Goswami
    2023
    Bib
  7. Temple-Raston, Jarvis | 2023
    ’What else is new?’: China’s hack on Microsoft follows a storied history of cyber-espionage
    Dina Temple-Raston, and Will Jarvis
    2023
    Bib

2017

  1. DOJ | 2017
    Office of Public Affairs | U.S. Charges Russian FSB Officers and Their Criminal Conspirators for Hacking Yahoo and Millions of Email Accounts | United States Department of Justice
    DOJ
    2017
    Bib

2004

  1. 18 USC §1028A | 2004
    18 USC §1028A. Aggravated identity theft
    18 USC §1028A
    2004
    Bib

1998

  1. 18 USC §1028 | 1998
    Identity Theft and Assumption Deterrent Act, 18 USC §1028
    18 USC §1028
    1998
    Bib
  2. 15 USC §6501-6505 | 1998
    Children’s Online Privacy Protection Act, 15 USC §6501-6505
    15 USC §6501-6505
    1998
    Bib

1986

  1. 18 USC §1030 | 1986
    Computer Fraud and Abuse Act, 18 USC §1030
    18 USC §1030
    1986
    Bib
  2. 18 USC §2510-2523 | 1986
    Electronic Communications Privacy Act, 18 USC §2510-2523
    18 USC §2510-2523
    1986
    Bib

1984

  1. 18 USC §1029 | 1984
    Fraud and related activity in connection with access devices
    18 USC §1029
    1984
    Bib

1914

  1. 15 USC §41-58 | 1914
    Federal Trade Commission Act, 15 USC §41-58
    15 USC §41-58
    1914
    Bib


Enjoy Reading This Article?

Here are some more articles you might like to read next:

  • Fan Service
  • Chrome Browser History Plugin for Volatility 3
  • HTB Write-Up | Medium Sherlock | Mellitus
  • HTB Write-Up | Medium Sherlock | Nuts
  • How Chinese Spies Hacked U.S. State Department Emails--Threat Modeling for APTs and APTaaS