Photo: Deb Cohn-Orbach/UCG/Universal Images Group (Getty Images)
The Department of Homeland Security issued a damning review of Microsoft’s cybersecurity practices on Tuesday, blaming the cloud provider for exposing the emails of high-ranking government officials. The review found Chinese-state affiliated hackers capitalized on “a cascade of security failures at Microsoft,” and says the company’s security culture “requires an overhaul.”
“It is imperative that cloud service providers prioritize security and build it in by design,” said the Cyber Safety Review Board Chair Robert Silvers in a press release.
The report cites issues with Microsoft’s corporate culture around security that led to this attack. The email accounts of Commerce Secretary Gina Raimondo, the U.S. Ambassador to China R. Nicholas Burns, and Congressman Don Bacon were compromised. The threat actor downloaded over 60,000 emails from the State Department alone, according to the report.
The board says this intrusion was “preventable and should never have occurred,” and that Microsoft’s security culture requires major changes. The damning report paints a picture of an internal mess behind the scenes at Microsoft. The DHS says Microsoft issued inaccurate public statements about the root cause of this attack, which according to the report, Microsoft has still not been able to identify.
Microsoft did not immediately respond to Gizmodo’s request for comment.
A hacker group affiliated with the People’s Republic of China, Storm-0558, was responsible for the attack. As early as May 2023, hackers compromised the mailboxes of government officials by stealing signing keys and utilizing a flaw in Microsoft’s token validation system. This allowed Storm-0558 full access to essentially any Exchange Online account, Microsoft’s hosted messaging platform.
On June 15, the State Department detected a data breach and notified Microsoft. At this point, the Federal Bureau of Investigations became involved, and Microsoft alerted an organization in the United Kingdom that they had been hit by the attack as well. By June 24, Microsoft was able to invalidate the stolen key Storm-0558 was using.
Many
of
the
government
officials
hit
in
this
attack
have
substantial
responsibilities
in
maintaining
the
United
States’
relationship
with
China,
so
it
doesn’t
seem
to
be
a
coincidence
they
were
hit.
The
DHS
board
issued
sweeping
recommendations
that
Microsoft
revamp
its
security
practices,
including
calling
out
CEO
Satya
Nadella
and
the
board
of
directors
to
directly
focus
on
the
company’s
security
culture.
The
government
review
says
these
security
risks
should
be
appropriately
addressed
before
new
features
are
deployed.
Comments