In the wake of a suspected China-linked cyber campaign targeting the unclassified Microsoft cloud-based email accounts of federal agencies and other organizations, the Cybersecurity and Infrastructure Security Agency expects to soon issue an announcement with Microsoft on the availability of critical network logs outside of the company’s premium payment structure.
The development comes as a senior CISA official noted to reporters that federal cyber defenders were able to detect the incident last month because the first agency affected — reportedly the State Department — had access to premium logging capabilities.
CISA and the FBI confirmed in an advisory today that advanced persistent threat actors accessed and exfiltrated unclassified Exchange Online Outlook data. The advisory says that a federal civilian agency last month identified suspicious activity in their Microsoft 365 environment.
CNN and other outlets have reported that the first agency affected was the State Department. CNN also reports that the Commerce Department was breached, while the attackers also targeted email accounts at the House of Representatives.
Microsoft, in its own advisory, attributes the activity to a “China-based actor” known as “Storm-0558.” After starting an investigation on June 16, Microsoft discovered that the group gained access to the emails of approximately 25 organizations, including government agencies.
And the company says its investigation showed the threat group was able to pull off the breach by “using forged authentication tokens to access user email using an acquired Microsoft account (MSA) consumer signing key.”
Microsoft also notes it has “completed mitigation of this attack for all customers.”
CISA and the FBI note in their advisory that the attack was discovered because the agency in question — they did not confirm it was State — was able to leverage “enhanced logging,” specifically of “MailItemsAccessed” events, and compared the logs with a normal baseline of Outlook activity.
“CISA and FBI are not aware of other audit logs or events that would have detected this activity,” the advisory states. “Critical infrastructure organizations are strongly urged to implement the logging recommendations in this advisory to enhance their cybersecurity posture and position themselves to detect similar malicious activity.”
During a briefing with reporters today, a senior CISA official noted the criticality of access to that logging data.
“It is worth noting that availability of this log is a dependency to identify this specific intrusion and really calls to the fore CISA and FBI’s work with Microsoft and other technology partners to ensure availability of necessary logging information for all customers across every sector,” the official said.
CISA and FBI officials noted the incident was not nearly as bad as the 2020 SolarWinds campaign, specifically due to the first agency’s ability to access the logging data and quickly identify what looked like an intrusion.
The officials said no classified systems or data were impacted.
“This is a notable improvement over prior intrusion campaigns, both in the ability of the federal government to rapidly detect intrusions and again in our ability to work effectively across agencies and with the private sector in response,” the CISA official noted.
The official also confirmed that crucial logs were only accessible under Microsoft’s “premium logging tier,” meaning organizations that did not pay for the service would not be able to identify the malicious activity by themselves.
But the official said CISA expects to soon issue announcements around discussions it has held with Microsoft on making critical log types available for no additional cost.
“We have been working deeply collaboratively with Microsoft for months to determine the specific log types that are most valuable to cybersecurity defenders, and that should be made available without premium costs,” the CISA official said. “Microsoft has been very responsive and collaborative in these conversations. And we anticipate highly positive announcements soon for the availability of additional log types in non-premium license tiers that will be available to all organizations.”
The question of whether major cloud service providers and other technology companies should make enhanced logging available for free dates back to the aftermath of the SolarWinds campaign, when some lawmakers excoriated Microsoft over charging extra for logging.
The company later made such logging available to federal agencies for free for one year.
Improving access to cyber event logs is a critical facet of the May 2021 cybersecurity executive order’s focus on improving the government’s cyber investigation and remediation capabilities.
The White House Office of Management and Budget requires agencies to retain Microsoft audit logs for at least 12 months in active storage, where they can be quickly accessed, and an additional 18 months in cold storage.
Meanwhile, CISA and several partner agencies earlier this year published “secure-by-design” and “secure-by-default” principles.
While the design principles are focused on ensuring secure software development practices, the secure-by-default activities specifically call on technology companies to ensure their products come standard with security best practices like multifactor authentication for privileged users and secure logging at no extra charge.
“Without speaking to the security attributes of any specific victims, it bears noting that a preponderance of organizations using Microsoft 365 or other widely used technology platforms are not paying for premium logging or other telemetry services, and we believe that model is not yielding the sort of security outcomes that we seek,” the senior CISA official noted to reporters today.