{
	"id": "6ed295bc-34a6-4a39-8246-d3262ee16592",
	"created_at": "2026-04-06T00:09:11.73197Z",
	"updated_at": "2026-04-10T13:11:44.804092Z",
	"deleted_at": null,
	"sha1_hash": "a5485f7674db4f22fa79fde28a73c92496e2221b",
	"title": "Mitigation for China-based threat actor activity - Microsoft On the Issues",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 35233,
	"plain_text": "Mitigation for China-based threat actor activity - Microsoft On the\r\nIssues\r\nBy Charlie Bell\r\nPublished: 2023-07-12 · Archived: 2026-04-05 18:46:50 UTC\r\nMicrosoft and others in the industry have called for transparency when it comes to cyber incidents so that we can\r\nlearn and get better. As we’ve stated previously, we cannot ignore the exponential rise and frequency of\r\nsophisticated attacks. The growing challenges we face only reinforce our commitment to greater information\r\nsharing and industry partnership.   \r\nToday, we are publishing details of activity by a China-based actor Microsoft is tracking as Storm-0558 that\r\ngained access to email accounts affecting approximately 25 organizations including government agencies as well\r\nas related consumer accounts of individuals likely associated with these organizations. We have been working\r\nwith the impacted customers and notifying them prior to going public with further details. At this stage – and in\r\ncoordination with customers – we are sharing the details of the incident and threat actor to benefit the industry.  \r\nCyberattacks continue to rise in sophistication and frequency  \r\nMotivated threat actors continue to focus on compromising IT systems. These well-resourced adversaries draw no\r\ndistinction between trying to compromise business or personal accounts associated with targeted organizations,\r\nsince it only takes one successfully compromised account login to gain persistent access, exfiltrate information\r\nand achieve espionage objectives. The threat actor Microsoft links to this incident is an adversary based in China\r\nthat Microsoft calls Storm-0558. We assess this adversary is focused on espionage, such as gaining access to email\r\nsystems for intelligence collection. This type of espionage-motivated adversary seeks to abuse credentials and\r\ngain access to data residing in sensitive systems. \r\nMitigation completed for all customers \r\nOn June 16, 2023, based on customer reported information, Microsoft began an investigation into anomalous mail\r\nactivity. Over the next few weeks, our investigation revealed that beginning on May 15, 2023, Storm-0558 gained\r\naccess to email data from approximately 25 organizations, and a small number of related consumer accounts of\r\nindividuals likely associated with these organizations. They did this by using forged authentication tokens to\r\naccess user email using an acquired Microsoft account (MSA) consumer signing key. Microsoft has completed\r\nmitigation of this attack for all customers. \r\nWe added substantial automated detections for known indicators of compromise associated with this attack to\r\nharden defenses and customer environments, and we have found no evidence of further access.  \r\nCoordinated response key to rapid mitigation \r\nMicrosoft’s real-time investigation and collaboration with customers let us apply protections in the Microsoft\r\nCloud to protect our customers from Storm-0558’s intrusion attempts. We’ve mitigated the attack and have\r\nhttps://blogs.microsoft.com/on-the-issues/2023/07/11/mitigation-china-based-threat-actor/\r\nPage 1 of 2\n\ncontacted impacted customers. We’ve also been partnering with relevant government agencies like DHS CISA.\r\nWe’re thankful they and others are working with us to help protect affected customers and address the issue. We’re\r\ngrateful to our community for a swift, strong and coordinated response.  \r\nMore details to support our customers and the defender community can be found here. \r\nAccountability starts with us \r\nThe accountability starts right here at Microsoft. We remain steadfast in our commitment to keep our customers\r\nsafe.  We are continually self-evaluating, learning from incidents, and hardening our identity/access platforms to\r\nmanage evolving risks around keys and tokens.  \r\nWe need to continue to push the envelope on security so we’re prepared for whatever might come our way. We\r\nwill continue to work with our customers and community to share information and strengthen our collective\r\ndefenses.  \r\nSource: https://blogs.microsoft.com/on-the-issues/2023/07/11/mitigation-china-based-threat-actor/\r\nhttps://blogs.microsoft.com/on-the-issues/2023/07/11/mitigation-china-based-threat-actor/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blogs.microsoft.com/on-the-issues/2023/07/11/mitigation-china-based-threat-actor/"
	],
	"report_names": [
		"mitigation-china-based-threat-actor"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "86fb4ddd-989e-4613-8db8-ca646c553aae",
			"created_at": "2023-11-01T02:00:07.404201Z",
			"updated_at": "2026-04-10T02:00:03.381034Z",
			"deleted_at": null,
			"main_name": "Storm-0558",
			"aliases": [],
			"source_name": "MISPGALAXY:Storm-0558",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "1c762729-56f7-48d5-8fb0-b64a43716319",
			"created_at": "2023-09-07T02:02:47.944899Z",
			"updated_at": "2026-04-10T02:00:04.907587Z",
			"deleted_at": null,
			"main_name": "Storm-0558",
			"aliases": [
				"Antique Typhoon"
			],
			"source_name": "ETDA:Storm-0558",
			"tools": [
				"CHINACHOPPER",
				"China Chopper",
				"SinoChopper"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434151,
	"ts_updated_at": 1775826704,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a5485f7674db4f22fa79fde28a73c92496e2221b.pdf",
		"text": "https://archive.orkl.eu/a5485f7674db4f22fa79fde28a73c92496e2221b.txt",
		"img": "https://archive.orkl.eu/a5485f7674db4f22fa79fde28a73c92496e2221b.jpg"
	}
}