Microsoft says hackers used a flaw in its code to steal emails from government agencies and other clients.
In a blog post published Friday, the company said that Chinese hackers were able to take advantage of “a validation error in Microsoft code” to carry out their cyberespionage campaign.
The blog provided the most thorough explanation yet for a hack that rattled both the cybersecurity industry and China-U.S. relations. Beijing has denied any involvement in the spying.
Microsoft and U.S. officials said on Wednesday night that since May, Chinese state-linked hackers had been secretly accessing email accounts at about 25 organizations. U.S. officials said those included at least two U.S. government agencies.
Microsoft has not identified any of the hack’s targets, but several victims have acknowledged they were affected, including personnel at the State Department, the Commerce Department and the U.S. House of Representatives.
Secretary of State Antony Blinken told China’s top diplomat, Wang Yi, in a meeting in Jakarta on Thursday that any action that targets the U.S. government, U.S. companies or American citizens “is of deep concern to us, and that we will take appropriate action to hold those responsible accountable,” according to a senior State Department official.
Microsoft’s own security practices have come under scrutiny, with officials and lawmakers calling on the Redmond, Washington-based company to make its top level of digital auditing, also called logging, available to all its customers free of charge.