Set-up: A Chinese hacker group called Storm-0558 reportedly breached accounts inside more than 24 organizations, including U.S. State Department officials’ Microsoft accounts leading-up to Secretary Antony Blinken’s June trip to Beijing. The hackers exploited a validation coding error enabling them to forge Azure AD tokens using an acquired Microsoft account (MSA) consumer signing key, as a cryptographic tool, according to the Wall Street Journal (WSJ). Microsoft continues to investigate how the hackers got the cryptographic key and other unanswered questions.
Observed Anecdotes and Trends: Singapore Servers and Profile-Locations
VPN Server Anecdote: The WSJ stories immediately reminded me of recent VPN disconnects on a device with an associated “Certificate Verification Error” in the logs. A week or so later came a most unexpected change from the U.S.-located servers that my settings routinely connected me to, over onto a “Myanmar” server. I shut down the connection and raised hell with the VPN company about “Myanmar” servers. I was told that the company’s Myanmar servers are really in Singapore.
Hack Bait Anecdote: Singapore servers were also the reported origin or latest waypoint for the greatest number of spam / phishing attacks aimed at and blocked from my company website based on recent stats. Then there is the LinkedIn China-Singapore social engineering phenom.
Social Engineering for Secrets and Greenbacks, Trend: Singapore brings to mind many, many PRC-origin and styled LinkedIn profiles with very few connections that list Singapore as their location or site for university or professional education.
These profiles often present images and identities of attractive young professional women or men ostensibly working for western firms and persistently following, liking, reacting, and if possible, communicating and connecting with national security and defense professionals. Some are likely state actors working espionage desks, others are criminals, and or intermediary agents for mainland China and other state actors.
Anecdote: Gamers Complain of Chinese Hacker Latency on Singapore Based Servers: Three key causes of latency (delayed loading, slow performance) on servers are distance from the host servers, high network traffic loads, and server overload in processing mass requests.
Apparently, gamers have been complaining about high latency on some Singaporean servers hosting their games. Reddit forums cite Chinese hackers causing latency on Singaporean servers. User SoloQHerolol wrote “Asian Servers are plagued by Chinese Hackers,” and another, with 339 upvotes wrote “Singapore servers are absolutely full of bot. Use that information as you please,” as comments blame hackers from China for bot traffic. These are anecdotal samples suggesting that the traffic of Chinese hackers and bots causes latency on Singapore’s servers.
Recent History Context: PLA Threat to Singapore of Retaliation: In 2016 Singapore was openly threatened by PLA Major General Jin Yinan, influential strategic military advisor and PLA National Defense University professor who decried the use of Singapore’s Changi Naval Base by the US military and Singapore’s independent views on South China Sea rights. The PLA general’s wolf-warring words targeted Singapore on Chinese state radio that October: (excerpts follow…)
Within a few years the PLA Navy was berthing in Singapore and running joint naval drills with the City State, albeit not eclipsing the United States military partnership.
Singapore plays its neutrality between China and the U.S. in part analogy to the way Switzerland plays neutrality to Russian versus U.S. interests. Neutral states balancing between East and West; between autocracy and freedom.
Major Gen. Jin Yinan’s 2016 threats clearly leveraged Singapore. They also promised retaliation that could logically include loopholes for Chinese HUMINT, insider recruitment, access to servers, hardware, and related assets, information, and supply chains.
Such incursions would not be edgy at all in PLA terms. Edgy for the PLA and Chinese intelligence is hunting down dissidents in free nation cities and campuses; flying military sorties over South Korean territory; proliferating nuclear technology to tinpot dictators; terraforming islands bristling with military navy and air assets from shoals in the South China Sea; militarizing fishing boats and ramming vessels flying neighbor-nation flags; shooting lasers at U.S. military pilots’ eyes; and clipping U.S. surveillance planes in international airspace.
Microsoft’s Singapore Server Lifecycle Management: In 2022 Microsoft established its first eastern Circular Center of hardware lifecycle management in Singapore, reportedly processing some 12,000 servers per month for reuse. That figure implies a dense, vast global industry in server farms, data centers, and related supply-resupply chains inside of Singapore. That is an immense number of servers throughout their lifecycles to keep secure. The connections, servicing, support, communications, and labor to sustain data centers in Singapore including Microsoft’s clients, contractors, and competitors implies significant, complex interrelatedness between Singaporean servers and the world.
More Storm-0558 Attack Specifics: WSJ’s reporting zeroed in on the “cryptographic protection system” breach implied by the PRC’s hack discovered in June 2023:
Microsoft’s Incident Response blog put it this way:
Patterns to Formulate Research Question
Questions: Given the patterns and events above, could Storm-0558 have obtained inactive MSA consumer signing key by accessing component physical servers due for recycling that had been part of the virtual cloud network utilized by contract entities serving victim governments and organizations?
At what points in the physical server’s recycle and resupply chain could threat actors physically access cloud component physical servers not yet wiped or considered “stale devices”?
Alternatively, is it possible a missing or stale computing or storage device from a past Administration of an affected victim organization or agency was provided and ultimately accessed by Storm-0558?
It is possible that these questions miss the boat, or that the exploit risks raised by these questions have been ruled out. If so, it is hoped that the anecdotes, trends, details, and connections reviewed in these questions may aid investigators with discovering the method used by Storm-0558 to acquire the signing key.