A cybersecurity official at the US State Department had noticed something unusual. An internal IT security system, nicknamed Big Yellow Taxi, had flagged unusual activity on its corporate Microsoft account.
The tech team quickly raised their concerns to Microsoft, hoping the alert was a false positive.
What rapidly emerged, however, was that a Chinese government hacking group, codenamed Storm-0558, had compromised the emails of hundreds of US government officials.
An official US government postmortem examination included one frightening possibility: that China had developed a quantum supercomputer capable of cracking all Western encryption and rendering cyber defences useless.
Victims of the hack, discovered on June 15, included Gina Raimondo, the US Commerce Secretary, the US Ambassador to China, and dozens of high-ranking officials and politicians in America and the UK.
Nine months later and experts at Microsoft and US officials at CISA — the US cyber defence agency — are still unpicking what happened. China’s hackers had been able to steal or forge a digital key, the “cryptographic equivalent of crown jewels”, US officials said in a report.
This key could be used to unlock crucial parts of the US government’s digital infrastructure, cracking open email accounts belonging to high-ranking officials worldwide. The hackers stole 60,000 emails from the State Department alone, although it is still unclear how this was achieved.
On June 26, 10 days after the US government discovered the Chinese hack, Microsoft launched an “all-hands-on-deck” investigation that ran overnight, uncovering the loss of the secret key.
“Microsoft developed 46 hypotheses to investigate,” the CISA report said, “including some scenarios as wide-ranging as the adversary possessing a theoretical quantum computing capability to break public-key cryptography”.
The CISA report adds: “As of the date of this report, Microsoft does not know how or when Storm-0558 obtained the signing key.”
Another possibility raised in the government report is that an insider stole the information years ago. A Microsoft spokesman declined to comment.
Cybersecurity sources note a quantum-powered hack would be the “least likely” scenario. One industry source says the probability China has cracked such a huge technical problem is less than zero. Given the catastrophic nature of the attack, experts say Microsoft had to rule out a range of possible causes.
In a March blog post, Microsoft said: “Our leading hypothesis remains that operational errors resulted in key material leaving the secure token signing environment.”
But the disclosures by US officials show how seriously the threat of China’s quantum advances are being taken by the world’s most valuable technology company.
A secret quantum computer developed by a rival power would “absolutely be a nightmare scenario”, putting critical private information at risk of being stolen, says Sebastian Weidt, chief executive of Brighton-based start-up Universal Quantum.
The development of quantum computers remains in its infancy, but the technology is seen as crucial to future national security. The advanced machines are quite different from a modern supercomputer, relying on properties of quantum physics and particles to conduct advanced calculations.
In theory, this should allow them to far outstrip the capabilities of traditional computers, which rely on binary ones and zeros to operate. A major fear is they could be used to easily break modern coding systems and access private information.
“Offensive use of quantum computing would render most modern techniques to secure data in transit and data at rest useless,” says Adam Maruyama, chief technology officer at cybersecurity company Garrison and a former intelligence officer. “Because today’s security ecosystem puts so much stock into the strength of encryption algorithms, this would be a disaster.”
The development of a quantum system by a rival nation in secret is also being taken seriously by security officials in the US and the UK. Officials have dubbed the advent of such technology Q-Day, and have been urgently researching so-called “post-quantum cryptography”, which could be resistant to such a machine.
Numerous start-ups have been trying to develop systems that could apply uncrackable new encryption techniques to the internet to defend against a quantum hack.
The US is viewed as a leader in quantum technology. Tech giants, including Google and IBM, claim to have made great strides towards building functional computers.
But China has been racing to catch up. According to McKinsey, Beijing has earmarked US$15.3 billion ($25.4b) for quantum computing projects. In 2020, Chinese scientists claimed to have developed a quantum computer that had achieved “quantum supremacy” by solving a physics problem millions of times faster than a traditional supercomputer.
However, such breakthroughs remain in the esoteric realms of particle physics with few practical applications.
Quantum computers themselves are totally unlike a typical computer. These intricate creations are large, spindly, often built with materials such as gold or rare earth metals, while operating in cryogenic chambers well below freezing to enhance their quantum properties.
As for code breaking, most quantum and cybersecurity experts agree even China is years away from developing such a computer. “The science is simply no way near there yet,” says one industry source.
Weidt, of Universal Quantum, adds: “It is highly unlikely that [Microsoft’s] encryption was broken by a quantum computer. As far as we know, significantly larger quantum computers than we have available today will be needed for such a task.”
Regardless of how it conducted last year’s hack, the US says the sting “struck the espionage equivalent of gold” in a report that was scathing of Microsoft’s security readiness.
The government report accused Microsoft of a “cascade of avoidable errors” in the run-up to the incident. It also criticised Microsoft for putting out misleading public statements that claimed it had uncovered the origin of the leaked key, when in fact it had not.
It failed to correct the record for more than six months.
Microsoft’s internal investigations have ruled out the possibility that an insider stole the key used to hack the US government. It disclosed it had uncovered a separate hack in 2021 by Storm-0558 of an engineer’s laptop, who had joined from a company it had acquired, which could be linked, but the US government said it had seen “no specific evidence to such effect”.
A quantum intrusion may have been the most far-out scenario explored by Microsoft, but the US government’s assessment says the company remains in the dark over the truth.
“Nine months after the discovery of the intrusion, Microsoft says that its investigation into these hypotheses remains ongoing.”