Commerce Secretary Gina Raimondo's emails hacked in Microsoft cyber breach: Source

Commerce Secretary Gina Raimondo's emails were hacked as part of the Microsoft cyber breach, according to a source familiar with the investigation.

Microsoft's Outlook systems were breached by Chinese hackers, according to the company. The breach was discovered in May.

Raimondo’s Commerce Department has been imposing sanctions on China, and she met with her Chinese counterpart in May, promising better relations.

This isn't the first time a cabinet-level secretary's emails were breached. The emails of former Acting Secretary of Homeland Security Chad Wolf were compromised during the SolarWinds hack of 2020, which is widely considered one of the worst breaches in U.S. history.

SolarWinds was a hack that was carried out by the Russian nation-state actor Nobelium, Microsoft said in 2021.

Raimondo is the only cabinet secretary so far to have their emails hacked in this particular breach.

The State Department, though, was also impacted by the latest cyber breach.

While State Department spokesperson Matthew Miller could say little more about the breach from the podium today, officials familiar with the matter say the hack began in May but was not identified until mid-June, even though there were widespread issues within the department’s email systems earlier that month -- potentially missed warning signs.

The Department of Commerce is the second agency impacted by the Microsoft 365 hack by the Chinese hackers.

“Microsoft notified the Department of a compromise to Microsoft’s Office 365 system, and the Department took immediate action to respond,” a commerce department spokesperson told ABC News. “We are monitoring our systems and will respond promptly should any further activity be detected. The Department maintains strong cyber security protections, which we update to address a rapidly evolving cyber security landscape.”

In an alert sent Tuesday night, Microsoft said China was able to gain email data from 25 organizations.

"On June 16, 2023, based on customer reported information, Microsoft began an investigation into anomalous mail activity," the alert read. "Over the next few weeks, our investigation revealed that beginning on May 15, 2023, Storm-0558 gained access to email data from approximately 25 organizations, and a small number of related consumer accounts of individuals likely associated with these organizations. They did this by using forged authentication tokens to access user email using an acquired Microsoft account (MSA) consumer signing key. Microsoft has completed mitigation of this attack for all customers."

FBI and Cybersecurity and Infrastructure Security Agency officials told reporters earlier in the day that Microsoft acted “swiftly” to mitigate the damage done by the hacking of government emails.

The attack, officials said, was targeted and lasted for about a month.

“The targeting was intentional. This was an attack that was limited in scope and was not an attempt to compromise a broad array of organizations or accounts, as we have seen in other types of campaigns,” the CISA official said.

The adversary that hacked the emails is China, according to Microsoft, but officials did not give any U.S. government attribution.

“As Microsoft has articulated the timeline from the first known intrusion to the time when Microsoft remediated this attack vector was approximately one month, that does not mean that the duration of the intrusion for all victims was one month. And we do understand that some were shorter than one month, in some cases a number of days,” a senior CISA official said.

The CISA official said there was nothing classified that was compromised during the attack.

CISA and the FBI went into detail about how the Chinese carried out the attack in an alert on Wednesday.

“Microsoft determined that APT actors accessed and exfiltrated unclassified Exchange Online Outlook data from a small number of accounts,” the alert read. “The APT actors used a Microsoft account (MSA) consumer key to forge tokens to impersonate consumer and enterprise users. Microsoft remediated the issue by first blocking tokens issued with the acquired key and then replacing the key to prevent continued misuse.”

On Thursday, China’s Foreign Ministry spokesperson Wang Wenbin was asked about Microsoft’s claims that China is behind the hacking. He did not address the claim, but instead responded by claiming the U.S. is “the world’s biggest hacking empire and global cyber thief.”