Chinese Hackers Breached Government Email Accounts, Microsoft Says

Chinese hackers intent on collecting intelligence on the United States gained access to government email accounts, Microsoft disclosed on Tuesday night.

The attack was targeted, according to a person briefed on the intrusion into the government networks, with the hackers going after specific accounts rather than carrying out a broad-brush intrusion that would suck up enormous amounts of data. Adam Hodge, a spokesman for the White House’s National Security Council, said no classified networks had been affected. An assessment of how much information was taken is continuing.

Microsoft said that in all, about 25 organizations, including government agencies, had been compromised by the hacking group, which used forged authentication tokens to get access to individual email accounts. Hackers had access to at least some of the accounts for a month before the breach was detected, Microsoft said. It did not identify the organizations and agencies affected.

The sophistication of the attack and its targeted nature suggest that the Chinese hacking group was either part of Beijing’s intelligence service or working for it. “We assess this adversary is focused on espionage, such as gaining access to email systems for intelligence collection,” Charlie Bell, a Microsoft executive vice president, wrote in a blog post on Tuesday night.

Although the breach appeared to be far smaller in scale than some recent intrusions like the SolarWinds hack by Russia in 2019 and 2020, it could provide information useful to the Chinese government and its intelligence services, and it threatened to further strain relations between the United States and China.

The vulnerability the hackers exploited appeared to be in Microsoft’s cloud security and was first detected by the U.S. government, which immediately notified the company, Mr. Hodge said.

Inside the government, the attack showed a significant cybersecurity gap in Microsoft’s defenses and raised serious questions about the security of cloud computing, the person briefed on the intrusion said. The government has been moving data to the cloud, which promises better access to information and improved security, because pushing out patches to vulnerabilities is faster. The U.S. also operates classified cloud servers, but they have more security protocols in place.

The person briefed on the intrusion said that government security requirements should have prevented the breach, and that Microsoft has been asked to provide additional information about the vulnerability.

“We continue to hold the procurement providers of the U.S. government to a high security threshold,” Mr. Hodge said.

The hack comes at a delicate point in U.S.-China relations, as the Biden administration seeks to cool tensions that have been aggravated in recent months by several incidents including the transit of a Chinese spy balloon across the United States. It could increase criticism that the Biden administration is not doing enough to deter Chinese espionage.

Cliff Sims, a former spokesman for the director of national intelligence in the Trump administration, said China had been emboldened because President Biden had not confronted Beijing over its attempts to influence recent elections.

“We need to have some serious conversations about how much hacking we’ll tolerate before taking action,” Mr. Sims said.

Mr. Bell, in the blog post, said that people affected by the hack had been notified and that the company had completed efforts to mitigate the attack. But government officials are continuing to ask the company to provide more details of the vulnerability and how it occurred, according to the person briefed on the intrusion.

Microsoft said it was told of the intrusion and compromise on June 16. The company’s blog post said the Chinese hacking group first gained access to email accounts a month earlier, on May 15.

Microsoft did not say how many accounts it believes might have been compromised by the Chinese hackers.

China has one of the most aggressive — and most capable — intelligence hacking operations in the world.

Beijing has, over the years, carried out a series of hacks that have succeeded in stealing huge amounts of government data. In 2015, a data breach apparently carried out by hackers affiliated with China’s foreign spy service stole huge numbers of records from the Office of Personnel Management.

In the SolarWinds hack, which took place during the Trump administration, Russian intelligence agencies used a software vulnerability to gain access to thousands of computer systems, including many government agencies. The hack was named after the network management software the Russian agencies had exploited to get into computers around the world.