chat
expand_more

Lessons Learned from Last Week’s Email Breach on Federal Agencies

Discover key cybersecurity takeaways from last week’s email breach on federal agencies by a Chinese APT group.
July 20, 2023

This article was originally published on SC Media.

Cyberattacks are happening all the time and every day, but nation-state attacks are a different beast—not only because of their implications for national security but also because they are typically very difficult to detect. These types of threat groups are highly selective in their targeting, compared to most cybercriminals who operate opportunistically, are incredibly sophisticated in their attack techniques, and have substantial funding to carry out their operations.

So What Happened Last Week?

We learned early last week that a group of Chinese hackers exploited a vulnerability in Microsoft’s cloud email service to gain access to the cloud-based email accounts at 25 organizations.

The attackers primarily targeted West European organizations, but there were also reports in the mainstream press that U.S. government agencies such as the Commerce and State departments were hacked. An investigation by Microsoft determined that this group—coined Storm-0558—forged authentication tokens to compromise the email accounts, most likely to gain access to data residing in those systems for espionage purposes.

The attack by Storm-0558 wasn’t a “smash and grab” scenario more typical of high-volume/low-yield spam and credential phishing attacks—it was an advanced and strategically-executed attack. Nation-state attackers have the resources and skills to break into accounts, and they can also go undetected once inside. In this attack, the Storm-0558 attackers were lurking within government email accounts, with access to the data in those accounts, for as long as a month before targeted agencies noticed anomalous mail activity.

What Can We Learn from This Incident?

Although this particular incident was targeted at the U.S. government, there are important lessons that any organization can take away from this when it comes to mitigating advanced email compromise attacks.

In the case of the Storm-0558 attack, the threat actors accessed target accounts by exploiting a vulnerability they found in the authentication process. Because every attack is different, security teams may not know of an undiscovered or undisclosed vulnerability that could lead to an account takeover.

Remaining a step ahead and guaranteeing the best means of protection requires a layered security approach. Start by diligently exercising foundational security measures, including multi-factor authentication to ensure airtight email account access. From there, continue building up defenses with a strong vulnerability and application security program.

But while these steps can prevent initial infiltration, it’s important to consider a means of detection in the instance that an attacker does manage to gain access to an account. Today’s cybercriminals are only getting savvier, and it’s much more likely than not that you will experience a compromised account at some point.

How to Stay One Step Ahead of Sophisticated Threat Actors

Security teams should consider behavior-based anomaly detection that leverages artificial intelligence, especially when focused on the identity and behavior of the account holder. Organizations should not have to rely on human detection to catch suspicious activity — cybercriminals have gotten too good at flying under the radar. Detection needs to happen in seconds, especially in organizations with high-value intelligence like the federal government.

Advanced email attacks – whether by sophisticated nation-state operations seeking high-value national intelligence, or by petty criminals after a simple money grab – are only continuing to increase, and organizations need to harden their defenses accordingly. By layering security protections with an emphasis on detection and remediation, security teams can put themselves in the best position to defend against today’s threat landscape.

Interested in learning more about the latest attack trends? Check out our attack library here or if you're ready to see Abnormal in action, schedule a demo below!

See a Demo
Lessons Learned from Last Week’s Email Breach on Federal Agencies

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B Proofpoint Customer Story Blog 8
A Fortune 500 transportation and logistics leader blocked more than 6,700 attacks missed by Proofpoint and reclaimed 350 SOC hours per month by adding Abnormal to its security stack.
Read More
B Gartner MQ 2024 Announcement Blog
Abnormal Security was named a Leader in the 2024 Gartner Magic Quadrant for Email Security Platforms and positioned furthest for Completeness of Vision.
Read More
B Gift Card Scams Tricker to Spot Blog
Learn why gift card scams are becoming more difficult to identify, how cybercriminals evolve their tactics, and strategies to protect your organization.
Read More
B Offensive AI 12 16 24
Learn how AI is used in cybersecurity, what defensive AI vs. offensive AI means, and how to use defensive AI to combat offensive AI.
Read More
B Proofpoint Customer Story Blog 7
See how Abnormal's AI helped a Fortune 500 insurance provider detect 27,847 threats missed by Proofpoint and save 6,600+ hours in employee productivity.
Read More
B Cyberattack Forecast Emerging Threats Blog
Uncover the latest email threats and strategies to strengthen your cybersecurity and prepare for 2025.
Read More