Chinese Hackers Breached Email of Commerce Secretary Raimondo, State Department Officials

WASHINGTON—U.S. Commerce Secretary Gina Raimondo and senior officials at the State Department were victims of a newly discovered Chinese hacking campaign, American officials said Wednesday, a targeted spying effort in the spring that coincided with a Biden administration push to soothe rising tensions with Beijing.

The breaches of unclassified email systems, which some officials and experts said may have required extraordinary technical expertise to pull off, raise new alarms about the ability of Chinese hackers to orchestrate more sophisticated attacks and come at a fragile point in U.S.-China relations.

The date of the hack’s discovery in June closely aligned with the timing of Antony Blinken’s travel to China, the first U.S. secretary of state to visit Beijing in five years.

A small number of State Department employees were compromised in the attack, one of the people said, adding that it is believed the hackers didn’t access national security information. Cybersecurity specialists at the State Department were the first to detect the espionage campaign that leveraged a flaw in a Microsoft cloud-computing environment, which the company said has since been fixed.

“Last month the State Department detected anomalous activity,” said State Department spokesman Matt Miller. “We took immediate steps to secure our systems” and notified Microsoft, he added.

Miller said the incident remains under investigation, but declined to provide further details.

The Commerce Department also confirmed in a statement it had suffered a compromise. Officials familiar with the matter said Raimondo’s email account was among those that the hackers accessed. It wasn’t clear if other cabinet-level officials also had their accounts breached.

“Microsoft notified the department of a compromise to Microsoft’s Office 365 system, and the department took immediate action to respond,” a Commerce Department spokesman said in a statement. “We are monitoring our systems and will respond promptly should any further activity be detected.”

As Commerce Secretary, Raimondo oversees trade issues related to China, including export controls on Chinese technologies that have strained bilateral relations.

More than two dozen organizations globally were compromised in the hacking spree, according to Microsoft. Fewer than 10 organizations were compromised in the U.S. and each of those appeared to have a small number of individual email accounts breached, a senior American cybersecurity official said Wednesday.

“This was a targeted, surgical campaign that was not seeking the breadth of access that we have seen in other campaigns,” the official said, adding that it was far narrower than a Russian cyberintelligence operation discovered in 2020 that was widely considered to be a major American counterintelligence failure. In both cases, however, different security gaps in Microsoft’s process for authenticating customers played a key role.

Because the flaw in the newly unearthed hack dealt with Microsoft infrastructure, hackers didn’t appear to need victims to click on a malicious link to gain covert entry into their email inboxes. The intrusions were limited to Microsoft emails on unclassified systems, officials said.

Officials said the hack began in May amid an uptick in diplomatic outreach between the U.S. and China, after months of plummeting relations over the Ukraine war, the American discovery and shooting down of what it said was a Chinese surveillance balloon, and revelations of increased Chinese intelligence cooperation with Cuba.

CIA Director William Burns made a secret trip to Beijing in May, ahead of Blinken’s June visit. Treasury Secretary Janet Yellen visited Beijing last weekend, and John Kerry, the U.S. climate envoy and former secretary of state, is set to visit next week.

While Beijing has rebuffed calls to resume military-to-military ties, China’s ambassador to the U.S., Xie Feng, met with a senior Defense Department official, Ely Ratner, at the Pentagon on Wednesday for discussions about defense relations and other issues, the Defense Department said.

Republicans in Congress and other critics have faulted President Biden for being too eager to repair relations with Beijing despite repeated spying revelations and growing concerns about China’s ambitions related to Taiwan.

“China is testing the waters to see what they can get away with and learning that it’s actually a lot,” said Cliff Sims, the former deputy director of national intelligence for strategy during the Trump administration.

Diplomats and other personnel at the State Department are a lucrative target for foreign hackers in adversarial countries like China, as their intelligence services are eager to discern insights into the foreign-policy planning of the Biden administration. CNN earlier reported that the State Department was first to detect the hacking campaign.

The hackers, dubbed Storm-0558 by Microsoft, broke into email accounts at about 25 organizations and hit consumer accounts that were likely linked to these entities, Microsoft said in a blog post published late Tuesday. The apparent espionage campaign infiltrated victims’ email beginning on May 15 and operated in stealth for more than a month, until June 16, when Microsoft began its investigation, the company said.

Asked about the accused hacking, Beijing officials pointed the finger at Washington for spying. “The U.S. is the world’s biggest hacking empire and global cyber thief,” Chinese Foreign Ministry spokesman Wang Wenbin said Wednesday.

China has routinely denied hacking American organizations and has accused the U.S. and its allies of targeting Chinese networks.

China’s cyber spies have been successfully pilfering data from the U.S. government and its allies for well over a decade, according to current and former intelligence officials. While the broad contours of the newly disclosed hack didn’t surprise officials or cybersecurity researchers, several said it reflected China’s rapidly improving technical skills, adding that it appeared to be more precisely targeted against individuals seen as lucrative intelligence targets.

“Chinese cyber espionage has come a long way from the smash-and-grab tactics many of us are familiar with,” said John Hultquist, chief analyst at Google Cloud’s Mandiant cybersecurity division. “They have transformed their capability from one that was dominated by broad, loud campaigns that were far easier to detect. They were brash before, but now they are clearly focused on stealth.”

—Warren P. Strobel and Yuka Hayashi contributed to this article.

Write to Dustin Volz at [email protected] and William Mauldin at [email protected]