Microsoft’s handling of a security breach that exposed government officials’ email correspondence has been heavily criticized by an independent review commissioned by President Biden.
The report from the Cyber Safety Review Board specifically highlighted a lack of transparency from the tech giant during its response to the incident, adding that “lax corporate culture” contributed to its failings.
The incident in question, the Summer 2023 Exchange Intrusion, saw a state-backed Chinese threat group known as Storm-0558 gain access to the mailboxes of 22 organizations and more than 500 individuals.
Many of these individuals were senior US government officials involved in managing the nation’s relationship with the People’s Republic of China, including Secretary of State of Commerce Gina Raimondo and Ambassador R. Nicholas Burns.
Storm-0558 had access to some of these accounts for at least six weeks, according to the investigation, during which time the group was able to download approximately 60,000 emails from the State Department alone.
The report slammed Microsoft for still being unable to provide details on how exactly the Chinese threat group was able to bypass its security protocols and compromise several high profile email accounts, and misleading public communications.
It is believed Storm-0558 used authentication tokens that were signed by a key Microsoft had created in 2016 to access the accounts.
Referred to as “the cryptographic equivalent of crown jewels”, the signed key gave the criminals far-reaching access and was combined with another flaw in Microsoft’s authentication system, offering full access to virtually any Exchange Online account anywhere in the world.
Storm-0558 has been linked with previous attacks on cloud providers, such as the 2009 Operation Aurora campaign that affected more than 24 companies including Google.
Microsoft’s lax security culture and misleading communication
This is the third review conducted by the board, which formed after an announcement by President Biden in 2021, and published its first report in 2022 on the Log4j and Log4shell vulnerability.
The board consists of government and industry experts and is chaired by the Department of Homeland Security’s undersecretary for policy, Robert Silvers.
The report slammed the hyperscaler for what it described as “the cascade of Microsoft’s avoidable errors that allowed this intrusion to happen'', noting its failures pointed to a wider problem at the company.
“Individually, any one of the failings described above might be understandable. Taken together, they point to a failure of Microsoft’s organizational controls and governance, and of its corporate culture around security”, the report stated.
“Throughout this review, the Board identified a series of Microsoft operational and strategic decisions that collectively point to a corporate culture that deprioritized both enterprise security investments and rigorous risk management.”
A particular point of contention for the Cyber Safety Review Board was Microsoft’s lack of accurate communication at the time of the breach, including a number of misleading public statements on how the threat actor compromised their systems.
“Microsoft stated in a September 6, 2023 blog post that the most probable way Storm-0558 had obtained the key was from a crash dump to which it had access during the 2021 compromise of Microsoft’s systems.”
“However, Microsoft had only theorized that such a scenario was technically feasible in the 2016 timeframe. While Microsoft updated this blog on March 12, 2024 to correct its assessment of these theories, it has not determined that this is how Storm-0558 obtained the key. “
Furthermore, Microsoft’s failure to detect the compromise of its signing key at the time of the attack meant it was forced to rely on a notification from one of its customers about anomalous activity it had observed.
Time for Microsoft to recognize its responsibility and tighten its ship
The report also noted Microsoft’s recent disclosure of a separate security incident that gave a different nation-state threat group access to sensitive Microsoft corporate email accounts, source code repositories, and internal systems.
The conclusion of the report highlighted the foundational role many Microsoft products play in critical national infrastructure around the world, emphasizing the importance of the hyperscaler taking this responsibility seriously.
“Microsoft’s ubiquitous and critical products, which underpin essential services that support national security, the foundations of our economy, and public health and safety, require the company to demonstrate the highest standards of security, accountability, and transparency.”
The report offered a number of lessons its authors gleaned from its investigation of Microsoft’s Summer 2023 Exchange Intrusion to prevent other cloud service providers from undergoing system-level compromise.
The first of which states cloud service providers should implement “modern control mechanisms and baseline practices” updated to reflect the latest threats, across their digital identity and credentials systems.
They should also adopt a minimum standard for default audit logging in their cloud services in order to offer the capacity to detect, prevent, and investigate intrusions as a “baseline and routine service offering without additional charge”.
Cloud service providers also need to improve their incident and vulnerability disclosure practices, bolstering their victim notification and support mechanisms to maximize transparency between customers, stakeholders, and government entities, regardless of a regulatory obligation to report.
In a statement to ITPro, a spokesperson for Microsoft said it welcomed the review board findings, adding that the company has since introduced new measures to prevent a similar incident occurring in the future.
“We appreciate the work of the CSRB to investigate the impact of well-resourced nation state threat actors who operate continuously and without meaningful deterrence. As we announced in our Secure Future Initiative, recent events have demonstrated a need to adopt a new culture of engineering security in our own networks,” the spokesperson said.
“While no organization is immune to cyber attack from well-resourced adversaries, we have mobilized our engineering teams to identify and mitigate legacy infrastructure, improve processes, and enforce security benchmarks.”
The spokesperson said Microsoft will also “review the final report” for additional recommendations and act accordingly.
