Chinese spies who read State Department email also hacked GOP congressman
The Washington Post August 15, 2023
The suspected Chinese hackers who forged Microsoft customer identities to read the emails of State Department employees also obtained the personal and political emails of Rep. Don Bacon, a moderate Republican from Nebraska on the House Armed Services Committee.
Bacon tweeted Monday that he had been notified by the FBI that his emails were hacked by Chinese spies who took advantage of a Microsoft mistake for a month between mid-May and mid-June, which lines up with when investigators said the other breaches occurred.
Bacon said that he would “work overtime” to make sure that Taiwan receives all of the billions of dollars in U.S. weaponry that it has ordered.
“I’m a big proponent for Taiwan,” Bacon told The Washington Post by text message. “I suspect they’d like info to embarrass me or to undercut me politically. As I told FBI, I have nothing to be embarrassed about.”
Government and private sources told The Post a month ago that victims of the hacking campaign included Commerce Secretary Gina Raimondo, unnamed State Department employees, a human rights advocate and think tanks.
They also said that a congressional staffer had been targeted.
Bacon told The Post he was notified of the hacking only Monday, which suggests that new victims are still being discovered. The FBI did not respond to requests for comment. Neither did Microsoft.
Officials have described the spying as traditional espionage of the sort expected by all sides. It was about observation on issues of special concern, such as the U.S. response to escalating tensions between the autonomous island of Taiwan and China, which claims it.
But the breach has alarmed experts for another reason: It was unclear how the government could have prevented it while relying exclusively on Microsoft for cloud, email and authentication services.
Microsoft has said that the hackers obtained powerful signing keys they needed to create verified customer identities that could sidestep multifactor authentication. Combined with other Microsoft failings, millions of people could have been exposed to attack.
Officials have said that only a couple dozen entities were impersonated before the State Department found suspicious behavior in its activity logs. Microsoft was then able to search its own logs for the master key that the hackers had obtained and block future access.
Multiple members of Congress have demanded that federal agencies explain how they plan to combat similar attacks in the future and that Microsoft make logs more widely available, which it agreed to do.
Sen. Ron Wyden (D-Ore.) has gone further, asking the Justice Department and Federal Trade Commission to investigate whether Microsoft’s security practices were so poor as to be in violation of laws or its 20-year-old FTC consent decree requiring better security after the breach of what was then its single sign-on tool for authentication, Passport.
Wyden also urged the Department of Homeland Security to have its two-year-old Cyber Safety Review Board examine the Microsoft cloud breach. Last week, the board said it would take up the task.
The Department of Homeland Security referred questions to the FBI.
The Washington Post’s Leigh Ann Caldwell and David DiMolfetta contributed to this report.