A “cascade of security failures” at Microsoft allowed a state-backed Chinese hacking group to access the email accounts of senior U.S. government officials last year, according to a blistering report from a cybersecurity review board released Wednesday.
The report from the U.S. Cyber Safety Review Board, created in 2021 by U.S. President Joe Biden, describes widespread issues with the tech giant’s culture of corporate security and transparency, including shoddy cybersecurity practices that have been left unaddressed for years. It says Microsoft needs to completely overhaul that security culture to ensure such a “preventable” breach doesn’t happen again.
Most concerningly, the board found Microsoft still doesn’t know how the hackers broke in — despite public statements at the time saying otherwise, which remained uncorrected for months.
“Unfortunately, throughout this review, the Board identified a series of operational and strategic decisions that collectively point to a corporate culture in Microsoft that deprioritized both enterprise security investments and rigorous risk management,” the report says.
“These decisions resulted in significant costs and harm for Microsoft customers around the world. The Board is convinced that Microsoft should address its security culture.”
The intrusion, which began in May 2023 and was first identified by the U.S. State Department the following month, impacted the Microsoft Exchange Online emails of 22 organizations and more than 500 individuals around the world. Those included some of the top U.S. government officials managing the U.S.-China relationship, such as U.S. Commerce Secretary Gina Raimondo and the U.S. ambassador to China, Nicholas Burns.
The Chinese government-affiliated hacking group, known as Storm-0558, infiltrated some cloud-based email accounts for at least six weeks and downloaded some 60,000 emails from the State Department alone, the 34-page report said. Three think tanks and foreign government entities, including a number of British organizations, were among those compromised, it said.
The hackers “struck the espionage equivalent of gold,” the review board’s chair Robert Silvers and deputy chair Dmitri Alperovitch said in an opening message to the report.
The panel made a number of sweeping recommendations, including urging Microsoft to put on hold adding features to its cloud computing environment until “substantial security improvements have been made.”
Get daily National news
It said Microsoft’s CEO and board should institute “rapid cultural change” including publicly sharing “a plan with specific timelines to make fundamental, security-focused reforms across the company and its full suite of products.”
In a statement, Microsoft said it appreciated the board’s investigation and would “continue to harden all our systems against attack and implement even more robust sensors and logs to help us detect and repel the cyber-armies of our adversaries.”
The Canadian Centre for Cyber Security was among the agencies that provided insight and expertise during the review. The Cyber Centre, part of Communications Security Establishment Canada (CSE), regularly partners with the U.S. Cybersecurity and Infrastructure Security Agency that oversees the review board and other Five Eyes intelligence allies’ cybersecurity agencies.
In a statement to Global News, the CSE said the Cyber Centre is aware of the report and “support(s) our allies in calling out this type of incident and its repercussions.” It would not comment on whether any Canadian government agencies or industries were impacted by the 2023 hack.
Several Canadian government agencies use Microsoft software products, including cloud computing.
The review board was convened by Homeland Security Secretary Alejandro Mayorkas in August to determine what led to the intrusion. The report notes Microsoft cooperated fully with the review.
The review concluded that the hacking group took advantage of flaws in Microsoft’s authentication system to obtain a key that allowed it to “gain full access to essentially any Exchange Online account anywhere in the world.” Those flaws also prevented Microsoft from identifying the theft of the key until after the State Department alerted the company to the hack.
The board accused Microsoft of making inaccurate public statements about the incident — including issuing a statement saying it believed it had determined the likely root cause of the intrusion “when, in fact, it still has not.” Microsoft did not update that misleading blog post, published in September, until mid-March after the board repeatedly asked if it planned to issue a correction, it said.
The report noted a number of separate but connected incidents that it says point to Microsoft’s lax security culture, including “the failure to detect a compromise of an employee’s laptop from a recently acquired company prior to allowing it to connect to Microsoft’s corporate network in 2021.”
The board also expressed concern about a separate hack disclosed by the Redmond, Wash., company in January — this one of email accounts including those of an undisclosed number of senior Microsoft executives and an undisclosed number of Microsoft customers and attributed to state-backed Russian hackers.
Among the most damning indictments of Microsoft in the report is the inclusion of a quote from a 2002 email to Microsoft workers from company co-founder and then-CEO Bill Gates, stressing the importance of prioritizing security over adding features to its products.
“Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve,” Gates wrote. “These principles should apply at every stage of the development cycle of every kind of software we create, from operating systems and desktop applications to global Web services.”
Microsoft, the board concluded, ” has drifted away from this ethos and needs to restore it immediately as a top corporate priority.”
Storm-0558, the Chinese state-backed hacking group, has been engaged in similar intrusions — compromising cloud providers or stealing authentication keys so it can break into accounts — since at least 2009, the report says, targeting companies including Google, Yahoo, Adobe, Dow Chemical and Morgan Stanley.
Microsoft noted in its statement that the hackers involved are “well-resourced nation state threat actors who operate continuously and without meaningful deterrence.”
The U.S., Canada and its Five Eyes allies have shared multiple advisories over the past six months of the risk posed by Chinese state-aligned hackers to government and critical infrastructure, as well as to democratic elections.
The CSE has also warned Canadians they might be targeted as individuals by Chinese state actors who may try to trick or coerce them into disclosing sensitive data.
— with files from the Associated Press
Comments