{"id":1692,"date":"2023-09-06T20:03:05","date_gmt":"2023-09-06T20:03:05","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=76886"},"modified":"2023-09-06T20:03:05","modified_gmt":"2023-09-06T20:03:05","slug":"mystery-solved-microsoft-thinks-it-knows-how-chinese-hackers-stole-its-signing-key","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2023\/09\/06\/mystery-solved-microsoft-thinks-it-knows-how-chinese-hackers-stole-its-signing-key\/","title":{"rendered":"Mystery solved? Microsoft thinks it knows how Chinese hackers stole its signing key"},"content":{"rendered":"<p><head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\"> <meta name=\"robots\" content=\"index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1\"> <!-- This site is optimized with the Yoast SEO Premium plugin v20.5 (Yoast SEO v20.5) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ --> <title>Mystery solved? Microsoft thinks it knows how Chinese hackers stole its signing key | CyberScoop<\/title> <meta name=\"description\" content=\"A &quot;crash dump&quot; file containing a highly sensitive signing key is believed to have been at the center of an explosive Chinese hacking campaign.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/microsoft-china-signing-key\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Mystery solved? Microsoft thinks it knows how Chinese hackers stole its signing key\"> <meta property=\"og:description\" content=\"A &quot;crash dump&quot; file containing a highly sensitive signing key is believed to have been at the center of an explosive Chinese hacking campaign.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/microsoft-china-signing-key\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2023-09-06T20:03:05+00:00\"> <meta property=\"article:modified_time\" content=\"2023-09-06T22:14:18+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/09\/mystery-solved-microsoft-thinks-it-knows-how-chinese-hackers-stole-its-signing-key-1.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1277\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"eliasgroll\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <!-- \/ Yoast SEO Premium plugin. --> <link rel=\"dns-prefetch\" href=\"\/\/cdn.parsely.com\">\n<link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-0\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1693959706g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-4\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress-next\/dist\/css\/related-posts-block-styles.min.css?m=1693499496g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1693525727g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=7af46db108fbc62fdcc9\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/76886\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.3.1\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=76886\">\n<link rel=\"alternate\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fmicrosoft-china-signing-key%2F\">\n<link rel=\"alternate\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fmicrosoft-china-signing-key%2F&amp;format=xml\"> <!-- Google Tag Manager --> <!-- End Google Tag Manager --> <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-76886 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/microsoft-china-signing-key\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.2578125\">\n<div class=\"single-article__header-content\" readability=\"30.098901098901\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/news\/cybersecurity\/\"> <span>Cybersecurity<\/span> <\/a> <\/li>\n<\/ul>\n<p> A &#8220;crash dump&#8221; file containing a highly sensitive signing key is believed to have been at the center of an explosive Chinese hacking campaign. <\/p>\n<\/p><\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/09\/mystery-solved-microsoft-thinks-it-knows-how-chinese-hackers-stole-its-signing-key.jpg?resize=640%2C426&#038;ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/09\/mystery-solved-microsoft-thinks-it-knows-how-chinese-hackers-stole-its-signing-key-1.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/09\/mystery-solved-microsoft-thinks-it-knows-how-chinese-hackers-stole-its-signing-key-1.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/09\/mystery-solved-microsoft-thinks-it-knows-how-chinese-hackers-stole-its-signing-key-1.jpg?resize=768,511 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/09\/mystery-solved-microsoft-thinks-it-knows-how-chinese-hackers-stole-its-signing-key-1.jpg?resize=1024,681 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/09\/mystery-solved-microsoft-thinks-it-knows-how-chinese-hackers-stole-its-signing-key-1.jpg?resize=1536,1022 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/09\/mystery-solved-microsoft-thinks-it-knows-how-chinese-hackers-stole-its-signing-key-1.jpg?resize=600,399 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/09\/mystery-solved-microsoft-thinks-it-knows-how-chinese-hackers-stole-its-signing-key-1.jpg?resize=253,168 253w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/09\/mystery-solved-microsoft-thinks-it-knows-how-chinese-hackers-stole-its-signing-key-1.jpg?resize=507,337 507w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/09\/mystery-solved-microsoft-thinks-it-knows-how-chinese-hackers-stole-its-signing-key-1.jpg?resize=1015,675 1015w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/09\/mystery-solved-microsoft-thinks-it-knows-how-chinese-hackers-stole-its-signing-key-1.jpg?resize=1267,843 1267w\" sizes=\"(max-width: 1015px) 100vw, 1015px\"><figcaption> A China Central Television news broadcast shows footage of Microsoft co-founder Bill Gates meeting with Chinese President Xi Jinping, on a giant screen outside a shopping mall in Beijing on June 16, 2023. (GREG BAKER\/AFP via Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"34.363132911392\"><body readability=\"69.441885377611\"><\/p>\n<p>When Microsoft revealed earlier this year that hackers based in China <a href=\"https:\/\/cyberscoop.com\/china-hackers-email-us-government\/\">snooped on the email accounts<\/a> belonging to senior U.S. officials, the news was accompanied by a mystery: How did the hackers obtain the signing key \u2014 the closely guarded, critical piece of Microsoft\u2019s security infrastructure \u2014 that they used to bypass security protections? <\/p>\n<p>On Wednesday, Microsoft <a href=\"https:\/\/msrc.microsoft.com\/blog\/2023\/09\/results-of-major-technical-investigations-for-storm-0558-key-acquisition\/\">revealed the results<\/a> of its internal investigation regarding how that key was stolen, the findings of which describe a series of cascading security failures that resulted in a signing key ending up in the hands of apparent Chinese hackers.<\/p>\n<p>The theft of that key allowed the hackers to access the email accounts belonging to U.S. Secretary of Commerce Gina Raimondo and the U.S. ambassador to China, Nicholas Burns, at a crucial moment of diplomatic engagement between Washington and Beijing. The incident has raised major questions <a href=\"https:\/\/cyberscoop.com\/microsoft-china-hacking-state\/\">about Microsoft\u2019s security and business practices<\/a> and <a href=\"https:\/\/cyberscoop.com\/microsoft-china-breach-encryption-key\/\">whether the firm understood the full scope of the attack<\/a>. <\/p>\n<p>According to Microsoft, the series of events that culminated in an espionage campaign targeting U.S. officials began with a \u201ccrash dump\u201d \u2014 the set of information that describes the state of a computer or program when it fails. When a Microsoft consumer-signing system crashed in April 2021, the resulting crash dump included a signing key. That key should have been redacted but due to an error was not. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>In the belief that the crash dump did not contain any sensitive information, the file was moved from Microsoft\u2019s highly secure production system into its less secure corporate network. At some point after April 2021, a Chinese hacker compromised an account belonging to a Microsoft engineer with access to the debugging file containing the signing key. <\/p>\n<p>If a crash dump is the garbage generated by a failing computer system, stealing a signing key via a crash dump is like rifling through a garbage can and discovering the key to the family safe. <\/p>\n<p>Microsoft\u2019s investigators cannot be sure that this is how the key was stolen but believe the crash dump file the most likely method.<\/p>\n<p>Trey Herr, the director of the Atlantic Council\u2019s Cyber Statecraft Initiative, described the crash dump as a \u201cbrutal vector of compromise\u201d and commended Microsoft on tracing the breach to its source but added that questions remain about the company\u2019s design and security choices. Microsoft\u2019s Wednesday blog post, still has \u201cno good answer on why this key was allowed to sign so far across different services,\u201d Herr said. <\/p>\n<p>Sen. Ron Wyden, D-Ore., said in a statement to CyberScoop that while \u201cMicrosoft deserves credit for providing additional details about the hack\u201d the firm \u201chas an obligation to explain why it deviated from best practices and its own advice when it came to protecting highly sensitive encryption keys.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Wednesday\u2019s post is unlikely to be the final word on the breach. The U.S. Cyber Safety Review Board <a href=\"https:\/\/cyberscoop.com\/cyber-safety-review-board-microsoft-cisa-dhs\/\">is currently investigating<\/a> the breach as part of a broader examination of cloud security. <\/p>\n<p>In a measure of irony, Microsoft no longer has access to the security logs that would contain the definitive evidence that the key was exfiltrated via the crash dump. When the attack was first revealed earlier this year, Microsoft came under intense criticism for its customer logging policies, which required clients to upgrade to a more expensive service to have access to the more comprehensive logs containing evidence of the attack. Due to its log retention policies, Microsoft doesn\u2019t have access to the logs that would detail how the signing key was stolen.<\/p>\n<p><em><strong>Update, Sept. 6, 2023: <\/strong>This article has been updated with a statement from Sen. Ron Wyden. <\/em> <\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\">\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p> <!-- .popular-stories__stories --> <\/div>\n<p><!-- .popular-stories__inner -->\n<\/div>\n<p><!-- .popular-stories --> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p> <!-- Start of HubSpot Embed Code --> <!-- End of HubSpot Embed Code --> <\/body> <a href=\"https:\/\/cyberscoop.com\/microsoft-china-signing-key\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Mystery solved? Microsoft thinks it knows how Chinese hackers stole<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[271,623,78,302,281,625],"tags":[277,628,86,306,285,630],"class_list":["post-1692","post","type-post","status-publish","format-standard","hentry","category-china","category-commerce-department","category-cybersecurity","category-geopolitics","category-hacking","category-microsoft","tag-china","tag-commerce-department","tag-cybersecurity","tag-geopolitics","tag-hacking","tag-microsoft"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/china\/\" rel=\"category tag\">China<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/commerce-department\/\" rel=\"category tag\">Commerce Department<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/geopolitics\/\" rel=\"category tag\">Geopolitics<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/hacking\/\" rel=\"category tag\">hacking<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/microsoft\/\" rel=\"category tag\">Microsoft<\/a>","tag_info":"Microsoft","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/1692","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=1692"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/1692\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=1692"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=1692"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=1692"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}