Microsoft Email Hack Shows Greater Sophistication, Skill of China’s Cyberspies

The hack of email accounts of senior U.S. officials including the commerce secretary is the latest feat from a network of Chinese state-backed hackers whose leap in sophistication has alarmed U.S. cybersecurity officials. 

The espionage was aimed at a limited number of high-value U.S. government and corporate targets. Though the number of victims appeared to be small, the attack—and others unearthed in the last few months linked to China—demonstrated a new level of skill from Beijing’s large hacker army, and prompted concerns that the extent of its infiltration into U.S. government and corporate networks is far greater than currently known.

Even just a few years ago, Chinese hackers were known among cybersecurity investigators for loud smash-and-grab heists of intellectual property, military technology and even a database of U.S. government employees’ personal information. The sometimes crude tactics, while effective, were often geared toward collecting huge troves of data rather than spying persistently on valuable targets, and typically left traces that made the hackers easy to identify and guard against in the future.

China’s hacker army used to be “noisy” and “rudimentary,” George Barnes, the deputy director of the National Security Agency, said Thursday at an intelligence conference. The new hack and others identified in the past few months have shown that Beijing’s sophistication “continues to increase,” he said.

The latest attack focused on the Microsoft email accounts of Commerce Secretary Gina Raimondo, State Department officials and others not publicly disclosed. It is already being rated by some security experts as among the most technically sophisticated and stealthy ever discovered, though many details—including how it began—haven’t been shared by Microsoft. It and other recently disclosed cyber-espionage operations suggest Chinese hackers can now burrow deep into high-level computer networks and evade detection for months or even years.  

The U.S. hasn’t formally linked the attack to China, though Microsoft attributed it to a Chinese hacking group and officials and lawmakers have said Beijing is responsible. China has denied the allegations. 

China long relied on techniques such as blasting malicious spam at hundreds of thousands of inboxes with little effort on the chance even a single unsuspecting target would reveal a password. In some instances, hackers would clumsily roam around a network until they tripped a security alert that enabled defenders to quickly kick them out, cybersecurity researchers said.

In 2015 the U.S. and China agreed to scale back cyberattacks, and operations against Western targets appeared to decline. Then, in 2020 they began to increase again, only with much greater sophistication.

Fueled by the threat of ransomware attacks mostly emanating from Eastern Europe, companies had gotten better at detecting attacks. So the Chinese switched focus and began hitting devices on the edge of corporate networks—hacks that were less likely to trigger security warnings, said Charles Carmakal, the chief technology officer with Google’s Mandiant cybersecurity group.

With the latest attack, the Chinese went a step further in their stealth technique. They gained access to the guts of Microsoft’s cryptographic protection system and used it to produce digital tokens—long strings of numbers and letters that are stored in the browser and act as a digital passport for Microsoft’s online services. 

“They’re hitting where the log data doesn’t exactly light up like a siren to tell you what’s wrong,” said Matt Durrin, director of training and research at the security consulting firm LMG Security. 

U.S. officials and Microsoft researchers disclosed on Tuesday that hackers linked to China breached email accounts at more than two dozen organizations, including some U.S. government agencies. American officials later said that Raimondo and senior officials at the State Department were among those in the government whose unclassified accounts were compromised. 

“It was a very advanced technique and capability and I imagine it was very valuable to the actor that used it,” said Carmakal. That was likely a reason why it appears to have been used on a small number of high-value targets, he said. “The more they used it, the greater the likelihood of getting caught.”

Cybersecurity specialists at the State Department detected the espionage campaign in June, around the time when Secretary of State Antony Blinken was planning a visit to Beijing to try to shore up deteriorating relations between the two powers. 

Blinken raised the hacking issue Thursday during a meeting in Jakarta with China’s top foreign-policy official, State Department spokesman Matt Miller said.

“We have consistently made clear that any action that targets the U.S. government, U.S. companies, American citizens is of deep concern to us, and that we will take appropriate action to hold those responsible accountable,” Miller said. “And the secretary made that clear again tonight.”

—William Mauldin and Warren P. Strobel contributed to this article.

Write to Dustin Volz at [email protected], Robert McMillan at [email protected] and Josh Chin at [email protected]