Ep.

78: Trouble in the cloud

DINA TEMPLE-RASTON: Steven Adair doesn’t respond to the news of a cyberattack in the
way most people do…

STEVEN ADAIR: working on interesting breaches is always fun.

TEMPLE-RASTON: Steven is the founder of a cybersecurity firm called Volexity.

ADAIR: Basically if something bad's going on, we'd like to be the ones to work on it.
Something crazy or horrible going on is, like, exciting for us.

TEMPLE-RASTON: And back in June, one of his clients called to tell him they’d been mixed
up in a major hack:

ADAIR: They're kind of like, you know, prepared for, Hey, I got targeted by someone, you know,
serious.

TEMPLE-RASTON: The breach was serious because it involved the Microsoft cloud.

ADAIR: It's the first and only instance of this within their platform that I'm aware of.

[MUSIC]

TEMPLE-RASTON: The attack seemed to upend the cloud’s fundamental promise… that it
was the safest place in the world to store your data. And while nothing is foolproof, the
security of the cloud was built on the common sense idea that letting a powerful IT
company guard your files, with their roster of cybersecurity experts, would be much safer
than leaving your data in house with your two person IT team. And now, it turned out, one
of the globe’s safest data vaults had been breached.

NEWS: Federal agencies are investigating how state-backed Chinese hackers managed to
break through Microsoft’s security…
GMA: They say this started in May and while they didn’t specify which organizations were
hit…
CBS: We know it was carried out by a group of Chinese cyber spice, a state-sponsored group
of hackers…

1
NEWS: The breach is the latest in a series of cyber attacks targeting senior US officials.

TEMPLE-RASTON: Microsoft revealed right away that China was behind the hack.
Specifically, it pointed to a Chinese government-backed group that specializes in espionage.
They’re known as Storm 0558. And while the idea of Chinese hackers breaking into Western
networks is nothing new, this hack was not just business as usual.

[THEME MUSIC]

TEMPLE-RASTON: I’m Dina Temple-Raston, and this is Click Here, a podcast about all things
cyber and intelligence. We tell true stories about the people making and breaking our digital
world.

Today, we look at one of the blockbuster cyberattacks of the summer, a particularly clever
operation that allowed hackers to target victims in the cloud with scary efficiency.

ADAIR: I don’t want to say impressive, but it is quite a feat. I mean, people don’t realize,
essentially, this could have been much worse.

TEMPLE-RASTON: And then, almost accidentally, it revealed a very non-techie problem: an

unseen vulnerability in Microsoft’s business model.

[STINGER]

TEMPLE-RASTON: Stay with us.

[BREAK]

TEMPLE-RASTON: Steven’s client wasn’t the only victim of the cloud break in. Microsoft said
the hackers stole emails from about 25 different organizations, including a handful of
government agencies.

JIM LEWIS: Everyone was running around in circles, waving their arms because it was such a
big deal.

2
Jim Lewis is Director of the Technology and Public Policy Program at CSIS. That’s the Center
for Strategic and International Studies in DC. He’s spent decades following China’s growing
cyber prowess. And he’s come to believe that who gets targeted can often provide
enormous clues about the people behind the attack

LEWIS: The old rule of thumb still generally works that the Russians want money and the
Chinese want IP.

TEMPLE-RASTON: IP, intellectual property. Or, just as often, government secrets.

[MUSIC]

TEMPLE-RASTON: Over the past fifteen years or so, Chinese hackers have gone after IP
aggressively. They’ve downloaded massive amounts of information from a Who’s Who of
Corporate America. Names like Westinghouse Electric and U.S. Steel, SolarWorld and Alcoa.
They’ve all ended up in China’s cyber crosshairs.

On the military side, China is also thought to have exfiltrated specs on the Patriot missile
system and the F-35 Joint Strike Fighter. Military officials will tell you that the fact that
China’s J-31 stealth fighter looks an awful lot like the F-35 is no accident.

[J-31 NOISE]

TEMPLE-RASTON: And Jim Lewis says the cadence of China’s attacks is relentless.

LEWIS: At any given moment, there's probably some number greater than one of global
Chinese cyber espionage campaigns going on around the world.

[MUSIC]

TEMPLE-RASTON: Because China’s hackers tend to be either Chinese military or intelligence,

Jim says their targets provide clues into what the Chinese government is focused on.

And, in this case, it was revealing that two government agencies were in their sights.
The State Department, which it turns out first brought the breach to Microsoft’s attention,
and the Commerce Department, which has been behind a roster of sanctions and trade
restrictions against China.

3
TEMPLE-RASTON [INTERVIEW]: The commerce department as a general matter, I don't think
of that as being a really juicy target necessarily…

LEWIS: That's what I used to think. Then in 2008, I thought the Chinese were mirror
imaging. In China, the Ministry of Commerce is a big deal. So here it must be a big deal to
mirror imaging and they were wrong. But what's changed here is Raimondo is the fireball of
the administration

TEMPLE-RASTON: He means Commerce Secretary Gina Raimondo, who has led the charge
to sanction and restrict exports of chips and certain technologies to China.

LEWIS: And they're all, the Chinese, are all up in arms about the sanctions and export
controls. So yeah, commerce has become an important target for them.

TEMPLE-RASTON: And the timing of these hacks wasn’t coincidental. The attackers broke in
in May, just a month before Secretary of State Antony Blinken was set to visit China for
high-level talks. And the Commerce Secretary is expected to go to Beijing later this summer,
which may explain the timing of the attacks.

LEWIS: A standard part of the Chinese playbook for any negotiation is to hack the other side.

TEMPLE-RASTON: Why guess what high ranking officials might say when you sit down to
negotiate when you can take a look at what they’re actually saying in real time beforehand
in their emails?

[MUSIC]

TEMPLE-RASTON: And while it’s unsettling to know the Chinese government is hacking
unclassified US government email accounts, what might be more troubling is how they did
it. In a series of blog posts, Microsoft said Chinese hackers appeared to have found a flaw in
the way the cloud authenticated a user.

[MUSIC BUMP]

TEMPLE-RASTON: And as best we can tell, here’s how it happened:

4
When you type a username and password to log into the cloud, behind the scenes, the
system assigns you something called a token.

[TOKEN NOISE]

TEMPLE-RASTON: The token works like a kind of temporary ID badge that lets you
essentially swipe into the cloud and access your files. The Chinese hackers had found a way
to create those tokens and then use them to impersonate almost anyone who was using
Microsoft’s cloud-based Outlook email and calendar services.

ADAIR: You know, allow them to basically bypass having to provide a username and
password, multi-factor authentication, and kind of the general workflow that a user would
have to go through.

TEMPLE-RASTON: That’s Steven Adair again. He explained that in most hacks, the difficult
part is getting usernames and passwords so you can access files. You might have to trick a
user into giving it to you, or infect a computer with malware.

But that’s not what these Chinese hackers did. The genius of it is that they skipped that
difficult first step altogether. With the impersonation tokens, they could just march right in
and start downloading almost any Outlook 365 file on the cloud.

So instead of needing Secretary Raimondo’s username and password to get into her
account, they’d just used the token to impersonate her. CSIS’ Jim Lewis said you had to give
the Chinese credit for figuring it out.

LEWIS: The first reaction was I burst out laughing. Because really stealing somebody's
encryption keys, that's a major deal. And so I thought whoever those Chinese guys are, they
need to get a medal.

[MUSIC BUMP]

TEMPLE-RASTON: But it went beyond just being a clever hack. It was a stealthy one, too…

ADAIR: This is probably the first time we ran into it where something happened and there
was nothing for us to find. This is the first I can ever think of that.

5
TEMPLE-RASTON: Though the truth is, the Chinese may not have realized just how sneaky
they were being. That had to do not with the skill of Chinese hackers, but with a problem
inside Microsoft’s business model itself.

When we come back, we’ll explain.

[MUSIC]

[BREAK]

TEMPLE-RASTON: After Steven got the news that his client’s accounts in the cloud had been
breached, he and his team went to work pawing through the logs.

ADAIR: It's like, it's pretty bread and butter. It's a pretty standard process. We do it all the
time.

TEMPLE-RASTON: Steven declined to identify his client, but he did say that Microsoft made
clear this wasn’t a broad-based attack. It was surgical. In the case of Steven’s client, the
Chinese hackers targeted just one member of the organization: an employee working on
human rights in, you guessed it, China. So Steven and his team focused on that one the
employee’s account looking for those little forensic clues hackers always leave behind.

ADAIR: A record for deleting an email or logging in or a failed login event. You're kind of just
pouring over everything

TEMPLE-RASTON: Microsoft had provided a lead as well: they had identified a specific IP
address that appeared to be connected to the hack, and they made that public. So Steven
and his team started there.

ADAIR: Have you ever seen it connect to one of the networks? Does it, you know, show up in
any number of different places?

TEMPLE-RASTON: And what they see in the IP records is exactly what you’d expect.

6
ADAIR: The IP addresses are always the same. It's the office, it's the home, it's the, you
know, the, the cell network that their phone is on. I mean, like the places they're connecting
from, what they're doing.

TEMPLE-RASTON: So they keep digging, searching for that suspicious address. And they
kept coming up empty

ADAIR: There's absolutely no hits for that. So, like, that's a little bit strange .

[MUSIC]

TEMPLE-RASTON: It was like this ghostly thing that hadn’t left a trace.

ADAIR: you couldn't convince me anything in here is out of the ordinary and I would never
suspect a breach and I'm looking for one.

TEMPLE-RASTON: But it turns out there was a really good reason for that. And it had
nothing to do with Steven’s investigation skills, or even with the Chinese hackers. It was
about Microsoft.

[MICROSOFT AD MUSIC]

TEMPLE-RASTON: Microsoft Office went through a big brand overall a couple of years ago
and officially became Microsoft 365 last year…

MICROSOFT AD: Office 365 really lets us collaborate in real time.

TEMPLE-RASTON: As part of the rebrand, programs like Excel, Outlook and Word all came
under the 365 umbrella.

AD: With Office 365 we can all stay connected, from Vietnam to Boston to New York…

TEMPLE-RASTON: No more buying individual software apps from an a la carte menu. Now
with a Microsoft 365 license, you get a kind of buffet. And it turns out there’s a standard
buffet, and then a better one — one that for an extra $57 dollars a month per person gives
you a kind premium fare. Things like audio-conferencing, advanced threat protection and
something called “Mail Items Accessed.”

7
The Mail Items Accessed Operation is part of Microsoft’s Advanced Audit function. It allows
you to see more detailed information about what’s happening behind the scenes of your
Outlook account. The good news was if you had the premium license with that advanced
audit function, it showed you exactly what the Chinese were doing in your system. The
government had a premium license, which may be why they were able to detect the
intrusion.

But, unfortunately for Steven’s client, they didn’t have a premium license. So he was flying
blind. Because, if you couldn’t spot that malicious IP address, then you needed the complete
logs of the compromised email account in order to see how the Chinese got in.

ADAIR: Because the attacker didn't log in like normal. They didn’t do all these other things.
They just came in and started pulling email.

TEMPLE-RASTON: But if Steven’s client had the premium logging package, they would have
been able to see someone accessing email.

ADAIR: So that was our, that, that's what came to learn as to why we were not able to find
anything during our investigation.

TEMPLE-RASTON: And, further bad news, you can’t just go ask Microsoft for the premium
grade logs after the fact if you weren’t a premium subscriber when the attack happened.
Steven said to think of it in terms of a home invasion.

ADAIR: You go back to the place of the crime and there's a camera on the front door. And
the back door. In this case, it would be like the camera was at the back door, but you
weren't paying the appropriate license level to have it record. So when you went to go look
at the footage, there was nothing there.

TEMPLE-RASTON: The thing is, this part of the license — the extra logs that reveal this kind
of hack — are the sort of thing a chief information officer would think comes standard. The
only reason the breach was discovered at all was because several of China’s victims did pay
for the premium license, so they were organizations that, to use Steven’s metaphor, had
the back door camera on.

ADAIR: I mean, it's super crafty if you think about it. If this agency hadn't noticed, it would
just be another case of ongoing email theft. ​It's crafty in the sense that it's completely under
the radar.

8
[MUSIC]

TEMPLE-RASTON: On Capitol Hill, lawmakers are demanding answers. Last week, a number
of senators, including Ron Wyden of Oregon, asked the Justice Department to investigate.
They want to know whether Microsoft’s security practices contributed to the breach. As to
whether all of this should make people wary of the promise of the cloud and its alleged gold
standard security…

ADAIR: I mean, I think it's a wake up call even for other providers. So should it shake our
confidence in the cloud? I think it should level-set our confidence.

TEMPLE-RASTON: Steven talked to Microsoft about clients having to pay extra to get those
security logs.

ADAIR: We kind of said, um, you know, publicly a bit that, Hey, it'd be really nice if this type of
log data was available at the lower log, you know, lower levels or maybe there's a happy medium
where the advanced logging is available for some nominal cost and doesn't require a higher
license level.

TEMPLE-RASTON: And Microsoft listened. At the end of July, the company said that it would
stop locking the security logs behind the monthly plan. They said it’ll be available to
everyone starting in September.

This is Click Here.

[HEADLINES MUSIC]

TEMPLE-RASTON: Here are some of the top cyber and intelligence headlines of the past
week:

Officials at the NSA are talking to lawmakers about an amendment that would prevent
government agencies from tracking U.S. citizens without a search warrant. According to a
report in WIRED magazine, officials want lawmakers to oppose a measure in the National
Defense Authorization Act that would prevent a roster of government agencies from paying
companies for data that would otherwise require a warrant, court order or subpoena. The
amendment has already been approved by the House.

9
—-

The Transportation Security Administration or TSA has renewed regulations that would
require operators of gas pipelines to certify that they have instituted a range of
cybersecurity measures to protect their operations. The regulations require, among other
things, incident response plans, the creation of a cybersecurity coordinator, and the
segmentation of their computer networks… so if a bad actor gets into one part of their
network they won’t have access to everything. TSA put these regulations in place in 2021,
after the Colonial Pipeline ransomware attack. Colonial’s billing systems were locked up,
which caused a week-long run on gasoline on the East Coast.

And finally, the Senate Armed Services Committee approved President Joe Biden’s nominee
to be the head of U.S. Cyber Command and NSA. Air Force Lt. Gen Timothy Haugh sailed
through his nomination hearings and because no lawmakers have objected to his taking the
job, the nomination has been automatically sent to the full Senate.

But that’s where the trouble begins: Senator Tommy Tuberville, an Alabama Republican,
has put a hold on the approval of all senior military nominees until the Pentagon reverses
its abortion travel policy. The Pentagon said it would provide days off and travel
reimbursement for military personnel who have to travel to another state to get
reproductive care. Tuberville’s hold is now affecting some 300 officers including Army
General William Hartman, who is supposed to replace Haugh as the number two at Cyber
Command.

[CLICK HERE THEME]

TEMPLE-RASTON: I'm Dina Temple-Raston. I'm the executive producer and host of the show.
Sean Powers is our senior producer and marketing director. Will Jarvis is our producer, and
Sarah Wyman is our writer-reporter. Our editing team is led by Karen Duffin and Lu
Olkowski.

Darren Ankrom does our fact-checking, and our theme and original music compositions are
by Ben Levingston. We also use music from Blue Dot Sessions.

And we'd love to hear from you.Please leave us a review and rating wherever you get your
podcasts or send us an email at click here [at] recordedfuture [dot] com. Check out our

10
website with details about our shows and our whole show catalog at ClickHereShow [dot]
com. That's a wrap for this week. I'm Dina Temple-Raston. We'll be back on Tuesday.

11