Microsoft still does not fully understand how suspected Chinese government hackers breached its systems and accessed the emails of senior U.S. government officials, according to a Department of Homeland Security study.
In a 34 page report Conducted by the Cyber Safety Review Board (CSRB), U.S. officials concluded that the Chinese hackers, known as Storm-0558, succeeded “through a cascade of security breaches at Microsoft.” The CSRB report, dated March 20 and released Tuesday, was shared with President Joe Biden and Homeland Security Secretary Alejandro Mayorkas.
The CSRB was tasked with investigating an incident occurring in 2023 where apparent Chinese hackers gained access to the email accounts of US Commerce Secretary Gina Raimondo, US Ambassador to China Nicholas Burns and Daniel Kritenbrink, Assistant Secretary of State for East Asia, before their trip to China in June 2023.
In total, hackers compromised the Microsoft Exchange Online mailboxes of 22 organizations and 503 individuals around the world, including officials from the Department of Commerce, the Department of State, and the State Department. Don Bacon, Congressmanmember of the House Taiwan Caucus.
According to the CSRB, the threat actor “downloaded approximately 60,000 emails from the State Department alone.”
The CSRB concluded that the intrusion “should never have occurred” and throughout its review it “identified a series of operational and strategic decisions by Microsoft that, collectively, point to a corporate culture that has deprioritized both corporate security investments and rigorous risk management.”
“The Board also concludes that Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s central place in the technology ecosystem and the level of trust customers place in the company to protect their data and operations,” the report said. that in addition to operational failures, Microsoft failed to detect the incident itself, instead relying on an initial notification from the State Department.
The report lists dozens of security changes that Microsoft’s competitors – Google, Amazon and Oracle – have made to their cloud systems to prevent the type of intrusions that occurred in this incident. He notes that before the CSRB completed its report, Microsoft announced another breach involving suspected Russian hackers.
One of the biggest issues raised in the report is that after months of investigation, Microsoft still doesn’t know how hackers obtained a signing key that allowed them broad access to all Microsoft products.
Signing keys allow hackers to grant themselves permission to access any information or system within the domain of that key. The key, along with other flaws, allowed hackers to “gain complete access to virtually any Exchange Online account.”
Microsoft invalidated the stolen key on June 24 and believes it was effective as they saw Storm-0558 “attempt phishing and other methods to regain access to email boxes it had previously compromised.”
But the CSRB criticized Microsoft not only for failing to provide the Commerce Department with requested log data for its investigation, but also for waiting months to correct the errors. erroneous claims made by the company in the fall that the security keys were obtained from a crash dump.
The CSRB has had several meetings with Microsoft demanding that they provide the public with an updated notice explaining that the crash dump theory has not been proven and may not be how the hackers obtained the key.
“At the conclusion of this review, Microsoft was still unable to demonstrate to the Board that it knew how Storm-0558 obtained the MSA 2016 key,” the report said. “The Board further determines that Microsoft has no evidence or logs showing the presence or exfiltration of the stolen key in an incident dump.”
The report also reveals that the hackers behind the Microsoft incident were also linked to the 2009 Operation Aurora targeting Google and RSA SecureID 2011 CompromisesCSRB Acting Vice President Dmitry Alperovitch said in a statement.
“This hacker group affiliated with the People’s Republic of China has the ability and intent to compromise identity systems to access sensitive data, including emails of individuals of interest to the Chinese government,” Alperovitch said .
“Cloud service providers must urgently implement these recommendations to protect their customers against this and other persistent and pernicious threats from state actors. »
The Chinese Embassy forcefully denied any involvement in the 2023 incident in a statement to Reuters last year.
Microsoft did not respond to specific questions about the claims made in the report, telling Recorded Future News only that “recent events have demonstrated the need to adopt a new culture of security engineering in our own networks.”
A spokesperson said Storm 0558 is an example of “well-resourced state threat actors operating continuously and without significant deterrence.”
“We have mobilized our engineering teams to identify and mitigate existing infrastructure, improve processes and apply security criteria,” the Microsoft spokesperson said.
“Our security engineers continue to harden all of our systems against attacks and are implementing even more robust sensors and logging to help us detect and repel our adversaries’ cyber armies. We will also review the final report for additional recommendations.
CSRB Recommendations for Microsoft
The report includes dozens of recommendations that Microsoft wants to consider as it seeks to recover from the incident. The board spoke with dozens of other cloud providers who listed multiple ways to guard against the type of stolen signing key attack that Microsoft has faced.
CSRV said Microsoft’s customers “would benefit from its CEO and board focusing directly on the company’s security culture and developing and publicly sharing a plan with specific timelines to undertake fundamental reforms.” focused on enterprise security and its comprehensive suite of products. »
Top Microsoft officials should be held accountable and the CSRB said Microsoft must “deprioritize feature development across the company’s cloud infrastructure and product suite until substantial security improvements have been made.” made in order to exclude competition for resources.
Roger Cressey, a former senior national security official in the Clinton and Bush administrations, told Recorded Future News that the CSRB’s findings “confirm what the security community has known for years: Microsoft is not taking its responsibilities seriously in matters of security towards our government.”
Microsoft products and services have been repeatedly targeted and successfully exploited by our adversaries for years,” he said, calling the 2023 incident “Microsoft’s Boeing moment” – referring to recent controversies. around the aircraft manufacturer.
“There must be real changes in culture and leadership. The U.S. government must reconsider its relationship with the company that dominates the public sector IT market but still fails to meet its security obligations,” he said.
“At a minimum, the CSRB report makes a clear case for suspending any new contract awards to Microsoft until it demonstrates that it can be a reliable partner for the federal government. The administration deserves credit for its forthright assessment of Microsoft’s security flaws; the next step is to use government purchasing power to demand accountability and change from Microsoft.