Microsoft: Chinese hackers stole signing key via crash dump and hacked account

Earlier this year, state hackers affiliated with China by experts managed to retrieve the signing key of Microsoft software from a crash dump that could be accessed via an employee’s hacked account.

Microsoft records that a blog post following a hack that took place earlier this year. Hackers that Microsoft refers to as the Storm-0558 group then entered the email accounts of various companies and Western European and North American government institutions, including the US Department of the Interior. Microsoft has now completed its investigation into that hack.

The attack started in April 2021. A crash occurred in a customer’s signing system, resulting in a so-called crash dump. That’s a snapshot of what exactly went wrong. Microsoft now concludes that there was a signing key in that crash dump that made it possible to sign certain systems or system components and with which the hackers could pretend to be legitimate. Microsoft acknowledges that that key should not have been in the crash dump and has now fixed the problem.

The crash dump containing the key was initially in a closed environment, but was eventually moved to a debugging environment that was accessible via the Internet. The hackers ‘later’ managed to hack into the account of a Microsoft employee and thus gain access to that debugging environment. Microsoft remains vague about this; for example, the company does not say when that account was hacked and how it happened. So it is not clear how long the hackers were in Microsoft’s systems. The company specifically mentions that scanning for keys in crash dumps did not happen, but does not explain how the attackers went unnoticed for so long. Microsoft also says it has no concrete evidence that the attacker obtained the crash dump through one account, because Microsoft no longer has those logs due to its own log retention policy. “But this was the most likely way the attacker managed to obtain the key,” the company wrote.

Microsoft has made several other changes in response to the incident. For example, the company now scans more for credentials and has updated certain libraries so that they automatically validate cryptographic keys. In July, the company also made cloud logging free for business users of Exchange and Microsoft 365.