US government stresses audit logging importance in wake of Chinese APT intrusions

After receiving a report from a US federal government agency, Microsoft discovered that a Chinese espionage actor it calls Storm-0558 gained access to its cloud-based Outlook Web Access in Exchange Online (OWA) and Outlook.com unclassified email service for about a month starting on May 15, 2023, as part of a targeted campaign that affected 25 organizations. The Chinese hackers gained access to email data by using forged authentication tokens obtained via a Microsoft account signing key, although it's unclear if Microsoft itself experienced a breach. The software giant mitigated this attack for all customers without requiring any action on their part and said it added “substantial automated detections for known indicators of compromise associated with this attack to harden defenses and customer environments.”

Although Microsoft did not name the initial reporting agency, the US State Department was the first to detect the espionage campaign. The date of the hack’s discovery in June was close to the time of Antony Blinken’s travel to China, the first US secretary of state to visit Beijing in five years.

The Chinese threat actors also breached emails at the Commerce Department, including that of Secretary Gina Raimondo. The Commerce Department has been active in limiting the US export of technology to China, given the country's active surveillance activities and aggressive military modernization.

While Microsoft attributes the campaign to China, the US government has refrained from doing so. “In terms of attribution, the sophistication of this attack where actors were able to access the mailbox content of victims is indicative of APT activity, but we are not prepared to discuss attribution at a more specific level,” a senior FBI official told reporters.

Although government officials won’t reveal which agencies or how many accounts were affected, “The number of United States organizations is in the single digits, and the number of impacted accounts for each was a small number,” a senior CISA official told reporters. “This appears to have been a very targeted surgical campaign that was not seeking the breadth of access that we have seen in other campaigns such as SolarWinds.”

Audit logging was crucial to the campaign’s discovery

Following Microsoft’s announcement of the campaign, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory (CSA), the Enhanced Monitoring to Detect APT Activity Targeting Outlook Online, to guide agencies and critical infrastructure organizations on enhancing monitoring in Microsoft Exchange Online environments.

In the advisory, CISA and the FBI strongly encourage critical infrastructure organizations to ensure audit logging that tracks software activity across organizational systems, which they credit with discovering the attack, is enabled. “It bears noting that the affected agency was able to detect initially the suspicious activity by leveraging enhanced logging, a specific log called MailItemsAccessed as described in our joint advisory and noted that this logging event was a deviation from their normal cloud environment activity,” a senior CISA official told reporters.

CISA and the FBI said in the advisory that “the MailItemsAccessed event is generated when licensed users access items in Exchange Online mailboxes using any connectivity protocol from any client. The FCEB [Federal Civilian Executive Branch] agency deemed this activity suspicious because the observed AppId did not normally access mailbox items in their environment.”

The agencies stressed the importance of audit logging to what government officials say was a swift reaction to the campaign, particularly compared to past government intrusions. “Every organization is urged to review the logging guidance and hardening recommendations in our joint advisory, which are necessary for every organization using cloud business applications, whether or not they have been impacted by this specific intrusion campaign,” the senior CISA official said.

Making robust audit logging free would help

One significant barrier to adopting robust audit logging is the premium price that Microsoft places on its higher tiers of audit logging, which include MailItemsAccessed. “It is our perspective that every organization using a technology service like Microsoft 365 should have access to logging and other security data out of the box to reasonably detect malicious cyber activity. We have been working closely with Microsoft to ensure the availability of this necessary logging for all organizations, federal and non-federal, without added charge,” the CISA official said.

“We appreciate Microsoft’s commitment to making further progress in this area. We cannot rely upon organizations paying more for better logging. That is a recipe for inadequate visibility and adversaries having unnecessary levels of success in targeting American organizations.”

Follow baseline configurations

In the meantime, the advisory strongly encourages critical infrastructure organizations to ensure audit logging is enabled. In addition, CISA and the FBI recommend that all organizations adopt minimum viable secure configuration baselines that are part of CISA’s Secure Cloud Business Applications (SCuBA) Project.

They also encourage organizations to enable premium logging, ensure logs are searchable by operators, and understand their cloud baseline. They further recommend that organizations implement the following to harden their cloud environments:

• Apply CISA’s recommended baseline security configurations for Microsoft Defender for Office 365, Azure Active Directory, Exchange Online, OneDrive for Business, Power BI, Power Platform, SharePoint Online, and Teams [SCuBA TRA Section 6.6].
• Separate administrator accounts from user accounts according to the National Institute of Standards and Technology’s (NIST’s) guidance, AC-5: Separation of Duties.
• Collect and store access and security logs for secure cloud access (SCA) solutions, endpoint solutions, cloud applications/platforms, and security services, such as firewalls, data loss prevention systems, and intrusion detection systems [SCuBA TRA Section 6.8.1].
• Use a telemetry hosting solution (e.g., SIEM solution) that aggregates logs and telemetry data to facilitate internal organization monitoring, auditing, alerting, and threat detection activities [SCuBA TRA Section 6.8.1].
• Review contractual relationships with all cloud service providers (CSPs) and ensure contracts include:

• Security controls the customer deems appropriate.
• Appropriate monitoring and logging of provider-managed customer systems.
• Appropriate monitoring of the service provider’s presence, activities, and connections to the customer network.
• Notification of confirmed or suspected activity.

Most importantly, “Every organization identifying anomalous activity on their cloud or on-prem environments should immediately contact CISA or the FBI in the coming days,” the CISA official said. “We will keep working with Microsoft and our partners to better understand the root causes of this incident and ensure execution of all necessary improvements consistent with the administration’s focus on driving security by design across every product and every vendor.”