Microsoft Warns of Chinese Hackers Abusing Code Vulnerability to Access US Government Emails
On Friday, Microsoft announced that a digital key belonging to the company was unlawfully obtained by Chinese hackers, who then exploited a vulnerability in Microsoft’s code to pilfer emails from various clients, including U.S. government agencies.
The company said in a blog post that the hackers were able to use the key — which they obtained under undisclosed circumstances — and exploit a “validation flaw in Microsoft code” to carry out their cyber espionage campaign.
The blog offered the most comprehensive explanation yet for the hack, which shocked both the cybersecurity industry and China and the United States. relations. Beijing has denied any involvement in the spying.
Microsoft and U.S. officials said Wednesday night that Chinese state-linked hackers had secretly accessed the email accounts of about 25 organizations since May. U.S. officials said they included at least two government agencies: the Departments of State and Commerce.
Foreign Minister Antony Blinken told China’s top diplomat Wang Yi at a meeting in Jakarta on Thursday that any actions that target the US government, US companies or American citizens “we are deeply concerned and that we will take appropriate action to hold those responsible accountable,” a senior State Department official said.
Microsoft’s blog post did not explain how the hackers got their hands on one of the company’s digital keys, leading some experts to speculate that Microsoft itself had been hacked before the thefts. The company did not immediately respond to questions about the key.
The breach has put Microsoft’s security practices under scrutiny, with officials and lawmakers demanding that the Redmond, Washington-based company make top-level digital auditing, also known as logging, available to all of its customers free of charge.
Microsoft announced in a statement late Thursday that it was taking the criticism into account. “We are evaluating the feedback and are open to other designs,” the company said, adding that it was “actively engaging” with US authorities on the matter.