Hong Kong —

State-backed Chinese hackers foiled Microsoft's cloud-based security in hacking the email accounts of officials at multiple U.S. agencies that deal with China ahead of Secretary of State Antony Blinken's trip to Beijing last month, officials said Wednesday.

The surgical, targeted espionage accessed the email of a small number of individuals at an unspecified number of U.S. agencies and was discovered in mid-June by the State Department, U.S. officials said. They said none of the breached systems were classified, nor was any of the stolen data.

Related video above: Rossen Reports: How to sign up for dark web monitoring

The hacked officials included Commerce Secretary Gina Raimondo, The Washington Post reported, citing anonymous U.S. officials. Export controls imposed by her agency have stung multiple Chinese companies.

One person familiar with the investigation said U.S. military and intelligence agencies were not among the agencies impacted in the monthlong spying campaign, which also affected unnamed foreign governments.

The officials spoke on condition they not be further identified.

In a technical advisory Wednesday and a call with reporters, the U.S. Cybersecurity and Infrastructure Security Agency and the FBI said Microsoft determined the hackers gained access by impersonating authorized users.

Officials did not specify the nature of the stolen data. But one U.S. official said the intrusion was “directly targeted” at diplomats and others who deal with the China portfolio at the State Department and other agencies. The official added that it was not yet clear if there had been any significant compromise of information.

The Blinken trip went ahead as planned, although with customary information security procedures in place, which required his delegation to use “burner” phones and computers in China.

The hack was disclosed late Tuesday by Microsoft in a blog post. It said it was alerted to the breach, which it blamed on a state-backed, espionage-focused Chinese hacking group “known to target government agencies in Western Europe,” on June 16. Microsoft said the group, which it calls Storm-0558, had gained access to email accounts affecting about 25 organizations, including government agencies, since mid-May as well as to consumer accounts of individuals likely associated with those agencies.

Neither Microsoft nor U.S. officials would identify the agencies or governments impacted. A senior CISA official told reporters in a press call that the number of affected organizations in the United States is in the single digits.

While the official declined to say whether U.S. officials are displeased with Microsoft over the breach, U.S. National Security Council spokesman Adam Hodge noted that it was “government safeguards” that detected the intrusion and added, “We continue to hold the procurement providers of the U.S. Government to a high security threshold.”

In fact, those safeguards consist of a data-logging feature for which Microsoft charges a premium. The CISA official noted that some of the victims lacked the data-logging feature and, unable to detect the breach, learned of it from Microsoft.

But of greater concern to cybersecurity experts is that The Storm-0558 hackers broke in using forged authentication tokens — which are used to verify the identity of a user. Microsoft's executive vice president for security, Charlie Bell, said on the company's website that the hackers had done that by acquiring a “consumer signing key.”

Cybersecurity researcher Jake Williams, a former National Security Agency offensive hacker, said it remains unclear how the hackers accomplished that. Microsoft did not immediately respond to emailed questions, including whether it was breached by the hackers to obtain the signing key.

Williams was concerned the hackers could have forged tokens for wide use to hack any number of non-enterprise Microsoft users. “I can’t imagine China didn’t also use this access to target dissidents on personal subscriptions, too."

The head of intelligence for the cybersecurity firm Crowdstrike, Adam Meyers, said in a statement that the incident highlights the systemic risk of relying on a single technology provider in Microsoft. He said “having one monolithic vendor that is responsible for all of your technology, products, services and security - can end in disaster.”

A Chinese foreign ministry spokesman, Wang Wenbin, called the U.S. accusation of hacking “disinformation” aimed at diverting attention from U.S. cyberespionage against China.

“No matter which agency issued this information, it will never change the fact that the United States is the world’s largest hacker empire conducting the most cyber theft,” Wang said in a routine briefing.

U.S. intelligence agencies also use hacking as a critical espionage tool and it is not a violation of international law.

Last month, Google-owned cybersecurity firm Mandiant said suspected state-backed Chinese hackers broke into the networks of hundreds of public and private sector organizations globally exploiting a vulnerability in a popular email security tool.

Earlier this year, Microsoft said state-backed Chinese hackers were targeting U.S. critical infrastructure and could be laying the technical groundwork to disrupt critical communications between the U.S. and Asia during future crises.

____

Associated Press writers Aamer Madhani in Washington and Zen Soo in Hong Kong contributed to this report. Bajak reported from Boston.

WASHINGTON (AP) — Dozens of email accounts at the Treasury Department were compromised in the massive breach of U.S. government agencies being blamed on Russia.

That's according to an Oregon Democrat, Sen. Ron Wyden, who says hackers broke into systems used by the department’s highest-ranking officials.

Wyden issued a statement Monday after he and other members of the Senate Finance Committee were briefed by the IRS and the Treasury Department.

Wyden says that though there is no indication that taxpayer data was compromised, the hack “appears to be significant." In addition, the breach appears to involve the theft of encryption keys from U.S. government servers, Wyden said.

“Treasury still does not know all of the actions taken by hackers, or precisely what information was stolen,” Wyden said in a statement.

It is also not clear what Russian hackers intend to do with any emails they may have accessed.

A Treasury Department spokeswoman declined to comment on Wyden’s statement.

Treasury was among the earliest known agencies reported to have been affected in a breach that now encompasses a broad spectrum of departments. The effects and consequences of the hack are still being assessed, though the Department of Homeland Security’s cybersecurity arm said in a statement last week that the intrusion posed a “grave” risk to government and private networks.

In the Treasury Department’s case, Wyden said, the breach began in July. But experts believe the overall hacking operation began months earlier when malicious code was slipped into updates to popular software that monitors computer networks of businesses and governments.

HILLSBOROUGH COUNTY, Fla. — Gift cards are a billion-dollar business during the holidays, but you may have bought a worthless stolen card without even realizing it.

Thieves are stealing the activation codes and other data from the card. They are then monitoring those cards for activation and wiping out the balances seconds after they are purchased.

Jack Garthwaite says he and his mom purchased six $100 iTunes gift cards at Target.

Garthwaite says he took advantage of a Black Friday deal where Target offered a $20 gift card for every $100 spent on iTunes cards. Several days later, Garthwaite, a college student, says he attempted to use the cards to buy his dad a new phone.

“I tried to redeem the first one, and Apple was saying it had already been used. So, I tried the next one same thing, next one same thing,” he said. “My heart sank. I was like, this is bad.”

Garthwaite contacted both Target and Apple about his worthless gift cards.

“Apple was able to confirm it was not on my account; that I did not redeem them,” he said.

According to an email from Apple to Garthwaite, the cards were redeemed minutes after purchase. But Garthwaite said Target did not refund his money.

“Tried to talk to the manager, and he pretty much shut us down,” Garthwaite said. Adding that the manager told him there were “no refunds on gift cards. ”

ABC Action News reached out to Target to ask about Garthwaite’s claim. Days later, a spokesperson responded in an email:

“After looking into the information provided, our guest relations team reached out to Mr. Garthwaite and provided a full refund for the gift cards purchased."

“I was very happy about that,” Garthwaite said.

Gift cards hanging on racks out-in-the-open may be vulnerable to tampering, so you should buy gift cards online whenever possible.

This story originally reported by Jackie Callaway on abcactionnews.com.

The Federal Bureau of Investigation issued a public service announcement Tuesday warning users of smart home devices of being hacked for "swatting" incidents.

In the PSA, the FBI asked users to use "complex and unique passwords and enable two-factor authentication" to protect against the attacks after they were notified of hackers using stolen email passwords to access them.

"Offenders have been using victims’ smart devices, including video and audio capable home surveillance devices, to carry out swatting attacks," the PSA read. "To gain access to smart devices, offenders are likely taking advantage of customers who re-use their email passwords for their smart devices. The offenders use stolen email passwords to log into the smart device and hijack features, including the live-stream camera and device speakers."

According to the FBI, swatting is when a hoax call is made to 911 to report an immediate threat to human life that leads to a response from law enforcement and the S.W.A.T. team.

The FBI said these incidents are motivated by revenge or a prank.

"They then call emergency services to report a crime at the victims’ residence," the PSA stated. "As law enforcement responds to the residence, the offender watches the live stream footage and engages with the responding police through the camera and speakers. In some cases, the offender also live streams the incident on shared online community platforms."

The FBI also advised users not to duplicate passwords between different online accounts to protect themselves better.

Microsoft now says suspected Russian hackers behind a massive campaign that impacted government agencies, local municipalities and companies were also able to view some of the company’s source code.

In a blog post Thursday, Microsoft says the unauthorized access “has not put at risk the security of our services or any customer data.”

"We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories," Microsoft stated. "The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made. These accounts were investigated and remediated."

Source code is the basic building blocks of computer programs, like the instructions.

Last month, as news of the hacking campaign surfaced, Microsoft acknowledged using the IT management software SolarWinds Orion, which is how the attackers gained access to thousands of government, public, and private organizations.

Microsoft has said in earlier blog posts they were aware of clients they serviced who were compromised, Thursday’s update is the first time the company has confirmed the attackers compromised them.

Microsoft says they operate with a philosophy of making source code viewable, and do not rely on secrecy of this code for security. “So viewing source code isn’t tied to elevation of risk,” they stated.

The cyber insurance industry, once a profitable niche, is now in the crosshairs of ransomware criminals.

They have hacked brokerages and major insurers.

Determining who has coverage and how much can help them pick targets and negotiate payments.

Skyrocketing extortion demands and a rise in ransomware attacks has the industry teetering on the edge of profitability.

Pressure is building on the industry to stop reimbursing for ransoms, but so far only one major cyber insurer, AXA, is doing so — and only with new policies in France.

To try to absorb the growing onslaught and stay profitable, insurers are retooling coverage, demanding clients up their security.

NEW YORK —

The operator of the nation’s largest fuel pipeline confirmed it paid $4.4 million to a gang of hackers who broke into its computer systems.

Colonial Pipeline said Wednesday that after it learned of the May 7 ransomware attack, the company took its pipeline system offline and needed to do everything in its power to restart it quickly and safely, and made the decision then to pay the ransom.

"This decision was not made lightly," but it was one that had to be made, a company spokesman said. "Tens of millions of Americans rely on Colonial – hospitals, emergency medical services, law enforcement agencies, fire departments, airports, truck drivers and the traveling public."

Colonial Pipeline's CEO, Joseph Blount, told The Wall Street Journal he authorized the payment because the company didn't know the extent of the damage and wasn't sure how long it would take to bring the pipeline's systems back.

The FBI discourages making ransom payments to ransomware attackers, because paying encourages criminal networks around the globe who have hit thousands of businesses and health care systems in the U.S. in the past year alone. But many victims of ransomware attacks, where hackers demand large sums of money to decrypt stolen data or to prevent it from being leaked online, opt to pay.

"I know that’s a highly controversial decision," Blount told the Journal. "But it was the right thing to do for the country."

Blount said Colonial paid the ransom in consultation with experts who previously dealt with the group behind the attacks, DarkSide, which rents out its ransomware to partners to carry out the actual attacks.

Multiple sources had confirmed to The Associated Press that Colonial Pipeline had paid the criminals who committed the cyberattack a ransom of nearly $5 million in cryptocurrency for the software decryption key required to unscramble their data network.

A ransom payment of 75 Bitcoin was paid the day after the criminals locked up Colonial’s corporate network, according to Tom Robinson, co-founder of the cryptocurrency-tracking firm Elliptic. Prior to Robinson’s blog post, two people briefed on the case had confirmed the payment amount to AP.

Blount told the Journal the attack was discovered around 5:30 a.m. on May 7. It took Colonial about an hour to shut down the pipeline, which has 260 delivery points across 13 states and Washington, D.C., Blount said. That helped prevent the infection from potentially migrating to the pipeline's operational controls. But there are lingering issues. Blount said Colonial is still unable to bill customers following an outage of that system.

The pipeline system delivers about 45% of the gasoline consumed on the East Coast, and Colonial, which is based in Alpharetta, Georgia, halted fuel supplies for nearly a week. That led to panic-buying and shortages at gas stations from Washington, D.C. to Florida.

Colonial restarted its pipeline a week ago, but it took time to resume a full delivery schedule, and the panic-buying led to gasoline shortages. More than 9,500 gas stations were out of fuel on Wednesday, including half of the gas stations in D.C. and 40% of stations in North Carolina, according to Gasbuddy.com, which tracks fuel prices and station outages.

___

Associated Press Writer Frank Bajak contributed to this report from Boston.

BOSTON, Mass. – The Federal Bureau of Investigation (FBI) is warning people of “Zoom-bombing,” where hackers hijack teleconferences and online classrooms on the popular remote conferencing platform.

FBI Boston

said Monday

that reports of “Zoom-bombing” are emerging nationwide as a growing number of people use Zoom to stay connected with colleagues and loved ones.

The FBI says it has received multiple reports of conferences being disrupted by pornographic and/or hate images and threatening language. Two incidents were recently reported at Massachusetts schools.

In one instance, a high school reported that a teacher was conducting an online class using Zoom when an unidentified person dialed into the classroom. The individual reportedly yelled profanity and then shouted the teacher’s home address in the middle of instruction.

In the second instance, The FBI says a school reported that a Zoom meeting was accessed by an unidentified individual who was visible on the video camera and displayed swastika tattoos.

When using platforms like Zoom, the FBI recommends exercising due diligence and caution in your cybersecurity efforts. Investigators say to follow these steps to mitigate teleconference hijacking threats:

• Do not make meetings or classrooms public. In Zoom, there are two options to make a meeting private: require a meeting password or use the waiting room feature and control the admittance of guests.

• Do not share a link to a teleconference or classroom on an unrestricted publicly available social media post. Provide the link directly to specific people.

• Manage screensharing options. In Zoom, change screensharing to “Host Only.”

• Ensure users are using the updated version of remote access/meeting applications. In January 2020, Zoom updated its software. In the security update, the teleconference software provider added passwords by default for meetings and disabled the ability to randomly scan for meetings to join.

• Lastly, ensure that your organization’s telework policy or guide addresses requirements for physical and information security.

If you were a victim of a teleconference hijacking, or any cyber-crime for that matter, report it to the FBI’s Internet Crime Complaint Center at

ic3.gov

.

Additionally, if you receive a specific threat during a teleconference, please report it at

tips.fbi.gov

or call the FBI Boston Division at (857) 386-2000.