China-based hackers have breached email accounts at two-dozen organizations, including some United States government agencies, in an apparent spying campaign aimed at acquiring sensitive information, according to statements from Microsoft and the White House late Tuesday.
The full scope of the hack is being investigated, but US officials and Microsoft have been quietly scrambling in recent weeks to assess the impact of the hack, which targeted unclassified email systems, and contain the fallout.
The federal agency where the Chinese hackers were first detected was the State Department, a person familiar with the matter told CNN. The State Department then reported the suspicious activity to Microsoft, the person said.
The Department of Commerce, which has sanctioned Chinese telecom firms, was also breached. The hackers accessed Commerce Secretary Gina Raimondo’s email account, one source familiar with the investigation told CNN. The Washington Post first reported on the access of the secretary’s account.
The Chinese hackers were detected targeting a small number of federal agencies and just a handful of officials’ email accounts at each agency in a hack aimed at specific officials, multiple sources familiar with the investigation told CNN.
“Microsoft notified the (Commerce) Department of a compromise to Microsoft’s Office 365 system, and the Department took immediate action to respond,” a department spokesperson said in a statement on Wednesday.
The spokesperson did not immediately reply to a request for comment on the targeting of Raimondo’s email account.
The hackers targeted email accounts at the House of Representatives, but it was unclear who was targeted and if the breach attempts were successful, two sources familiar with the matter told CNN.
The breaches add to what is already one of the steepest cybersecurity challenges facing the Biden administration: limiting the ability of Beijing’s formidable hacking teams to access US government and corporate secrets.
“Last month, US government safeguards identified an intrusion in Microsoft’s cloud security, which affected unclassified systems,” National Security Council spokesperson Adam Hodge said in a statement to CNN.
“Officials immediately contacted Microsoft to find the source and vulnerability in their cloud service,” Hodge said. “We continue to hold the procurement providers of the US Government to a high security threshold.”
The State Department “detected anomalous activity, took immediate steps to secure our systems, and will continue to closely monitor and quickly respond to any further activity,” a department spokesperson said on Wednesday.
US Capitol Police declined to comment, referring CNN to the FBI.
Hodge did not identify who was behind the hack, but Microsoft executives said in a blog post that the hackers were based in China and focused on espionage.
In response to the Microsoft and White House statements, the Chinese foreign ministry on Wednesday accused Washington of conducting its own hacking operations.
US officials have consistently labeled China as the most advanced of US adversaries in cyberspace, a domain that has repeatedly been a source of bilateral tension in recent years. The FBI has said Beijing has a larger hacking program than all other governments combined.
China has routinely denied the allegations.
The hacking began in mid-May, when the China-based hackers used a stolen sign-in key to burrow their way into email accounts, according to Microsoft. The tech giant has since blocked the hackers from accessing customer emails using that technique, Microsoft said late Tuesday.
Secretary of State Antony Blinken visited China in mid-June, but it was not immediately clear if the cyber-espionage campaign was connected to that high-stakes visit.
Some US officials credited the State Department with investing in more cyber-defense capabilities, allowing the agency to detect the suspicious activity earlier than in past advanced hacks.
The number of US organizations, public or private, impacted by the hacking campaign is in the “single digits,” a senior US Cybersecurity and Infrastructure Security Agency official told reporters on Wednesday.
“This appears to have been a very targeted, surgical campaign,” the official said.
This story has been updated with additional information.