Connect with us

Hi, what are you looking for?

The Independent TradersThe Independent Traders

World News

Chinese spies who read State Dept. email also hacked GOP congressman

The suspected Chinese hackers who forged Microsoft customer identities to read the emails of State Department employees also obtained the personal and political emails of Rep. Don Bacon, a moderate Republican from Nebraska on the House Armed Services Committee.

Bacon tweeted Monday that he had been notified by the FBI that his emails were hacked by Chinese spies who took advantage of a Microsoft mistake for a month between mid-May and mid-June, which lines up with when investigators said the other breaches occurred.

Bacon said that he would “work overtime” to make sure that Taiwan receives all of the billions of dollars in U.S. weaponry that it has ordered.

“I’m a big proponent for Taiwan,” Bacon told The Washington Post by text message. “I suspect they’d like info to embarrass me or to undercut me politically. As I told FBI, I have nothing to be embarrassed about.”

Government and private sources told The Post a month ago that victims of the hacking campaign included Commerce Secretary Gina Raimondo, unnamed State Department employees, a human rights advocate and think tanks.

They also said that a congressional staffer had been targeted.

Bacon told The Post he was notified of the hacking only Monday, which suggests that new victims are still being discovered. The FBI did not respond to requests for comment. Neither did Microsoft.

Officials have described the spying as traditional espionage of the sort expected by all sides. It was about observation on issues of special concern, such as the U.S. response to escalating tensions between the autonomous island of Taiwan and China, which claims it.

But the breach has alarmed experts for another reason: It was unclear how the government could have prevented it while relying exclusively on Microsoft for cloud, email and authentication services.

Microsoft has said that the hackers obtained powerful signing keys they needed to create verified customer identities that could sidestep multifactor authentication. Combined with other Microsoft failings, millions of people could have been exposed to attack.

Officials have said that only a couple dozen entities were impersonated before the State Department found suspicious behavior in its activity logs. Microsoft was then able to search its own logs for the master key that the hackers had obtained and block future access.

Multiple members of Congress have demanded that federal agencies explain how they plan to combat similar attacks in the future and that Microsoft make logs more widely available, which it agreed to do.

Sen. Ron Wyden (D-Ore.) has gone further, asking the Justice Department and Federal Trade Commission to investigate whether Microsoft’s security practices were so poor as to be in violation of laws or its 20-year-old FTC consent decree requiring better security after the breach of what was then its single sign-on tool for authentication, Passport.

Wyden also urged the Department of Homeland Security to have its two-year-old Cyber Safety Review Board examine the Microsoft cloud breach. Last week, the board said it would take up the task.

The Department of Homeland Security referred questions to the FBI.

Leigh Ann Caldwell and David DiMolfetta contributed to this report.

This post appeared first on The Washington Post

The suspected Chinese hackers who forged Microsoft customer identities to read the emails of State Department employees also obtained the personal and political emails of Rep. Don Bacon, a moderate Republican from Nebraska on the House Armed Services Committee.

Bacon tweeted Monday that he had been notified by the FBI that his emails were hacked by Chinese spies who took advantage of a Microsoft mistake for a month between mid-May and mid-June, which lines up with when investigators said the other breaches occurred.

Bacon said that he would “work overtime” to make sure that Taiwan receives all of the billions of dollars in U.S. weaponry that it has ordered.

“I’m a big proponent for Taiwan,” Bacon told The Washington Post by text message. “I suspect they’d like info to embarrass me or to undercut me politically. As I told FBI, I have nothing to be embarrassed about.”

Government and private sources told The Post a month ago that victims of the hacking campaign included Commerce Secretary Gina Raimondo, unnamed State Department employees, a human rights advocate and think tanks.

They also said that a congressional staffer had been targeted.

Bacon told The Post he was notified of the hacking only Monday, which suggests that new victims are still being discovered. The FBI did not respond to requests for comment. Neither did Microsoft.

Officials have described the spying as traditional espionage of the sort expected by all sides. It was about observation on issues of special concern, such as the U.S. response to escalating tensions between the autonomous island of Taiwan and China, which claims it.

But the breach has alarmed experts for another reason: It was unclear how the government could have prevented it while relying exclusively on Microsoft for cloud, email and authentication services.

Microsoft has said that the hackers obtained powerful signing keys they needed to create verified customer identities that could sidestep multifactor authentication. Combined with other Microsoft failings, millions of people could have been exposed to attack.

Officials have said that only a couple dozen entities were impersonated before the State Department found suspicious behavior in its activity logs. Microsoft was then able to search its own logs for the master key that the hackers had obtained and block future access.

Multiple members of Congress have demanded that federal agencies explain how they plan to combat similar attacks in the future and that Microsoft make logs more widely available, which it agreed to do.

Sen. Ron Wyden (D-Ore.) has gone further, asking the Justice Department and Federal Trade Commission to investigate whether Microsoft’s security practices were so poor as to be in violation of laws or its 20-year-old FTC consent decree requiring better security after the breach of what was then its single sign-on tool for authentication, Passport.

Wyden also urged the Department of Homeland Security to have its two-year-old Cyber Safety Review Board examine the Microsoft cloud breach. Last week, the board said it would take up the task.

The Department of Homeland Security referred questions to the FBI.

Leigh Ann Caldwell and David DiMolfetta contributed to this report.

This post appeared first on The Washington Post

 

You May Also Like

Tech News

Unity Earlier this week, Unity, the company that makes the Unity video game engine popular with indie developers, announced that it was changing its...

Tech News

Illustration: The Verge X CEO Linda Yaccarino announced a series of changes to her executive team, including a shakeup to the company’s sales organization...

Tech News

Image: Brazil Climate Summit At the moment I arrived at the Brazil Climate Summit event, it felt like home to me. As I opened...

Tech News

The Logitech G Pro X Superlight 2 mouse. | Photo by Sean Hollister / The Verge I called it the real magic mouse, but...