A report issued by the Biden administration’s review board has criticised Microsoft’s corporate security and transparency. The “Review of the Summer 2023 Microsoft Exchange Online Intrusion” claims that a “cascade of Microsoft’s avoidable errors” enabled Chinese government-backed cyber operators to hack into the email accounts of senior US officials, including Commerce Secretary Gina Raimondo.
The Cyber Safety Review Board (CSRB), first formed in 2021 by executive order, reported Microsoft’s poor cybersecurity practices and a weak culture lacking sincerity given the company’s lack of knowledge around the targeted breach, which impacted several federal agencies dealing with China.
The 34-page report claimed that “Microsoft’s security culture was inadequate and requires an overhaul”, given its critical role in the global technology ecosystem and its products which “underpin essential services that support national security, the foundations of our economy, and public health and safety.”
Microsoft’s “preventable” cybersecurity attack
The attack, discovered in June 2023 by the State Department and dating to May that year, saw Chinese hackers supported by the state infiltrate the Microsoft Exchange Online email accounts of 22 organisations and over 500 individuals worldwide, including the US ambassador to China, Nicholas Burns.
The threat actor, known as Storm-0558, is said to be affiliated with the People’s Republic of China in “pursuit of espionage objectives”.
The hackers were able to gain access to cloud-based email inboxes for a period of six weeks, downloading up to 60,000 emails from the State Department. The report also revealed that three think tanks and four foreign government entities were compromised, as reported to the UK’s National Cyber Security Centre.
Hackers could infiltrate systems through unauthorised possession of signing keys used for secure authentication into remote systems. It also said that, at the date of the report’s release, Microsoft did not know how or when Storm-0558 obtained the signing key.
“When combined with another flaw in Microsoft’s authentication system, the key permitted Storm-0558 to gain full access to essentially any Exchange Online account anywhere in the world”, the report stated.
The CSRB’s review concluded the attack was “preventable” and “identified a series of Microsoft operational and strategic decisions that collectively pointed to a corporate culture that deprioritised enterprise security investments and rigorous risk management”.
Federal report calls for “rapid cultural change”
The panel has urged Microsoft to hold off on adding additional features to its cloud environment until “substantial security improvements have been made”.
It has also called for Microsoft’s CEO and board to undertake a “rapid cultural change” with a publicly shared “plan with specific timelines to make fundamental security-focused reforms across the company and its full suite of products.”
The board issued sweeping recommendations to improve the state of Microsoft’s security procedures for its critical cloud computing environment to prevent these attacks from reoccurring.
Microsoft responded in a statement that it valued the board’s review and would “continue to harden all our systems against the attack and implement even more robust sensors and logs to help us detect and repel the cyber armies of our adversaries.”
The tech giant recognises that these compromising attacks demonstrate “a need to adopt a new culture of engineering security in our own networks”, claiming it has already “mobilised our engineering teams to identify and mitigate legacy infrastructure, improve processes and enforce security benchmarks”.
“Individuals and organisations across the country rely on cloud services every day, and the security of this technology has never been more important,” said Secretary of Homeland Security Alejandro N. Mayorkas, who received the CSRB report from the Board and delivered it to President Biden. “Nation-state actors continue to grow more sophisticated in their ability to compromise cloud service systems. Public-private partnerships like the CSRB are critical in our efforts to mitigate the serious cyber threat these nation-state actors pose.”