admin
Last updated on April 8th, 2024 at 11:29 am
A federal report indicates a series of mistakes by the tech giant enabled Chinese operators to access email accounts of senior government officials
A review board appointed by the Biden administration issued a scathing report on Tuesday, criticizing Microsoft for a series of errors that allowed state-backed Chinese cyber operators to access email accounts of senior US officials, including Commerce Secretary Gina Raimondo. The report by the Cyber Safety Review Board, established in 2021 by executive order, highlights concerns over Microsoft’s cybersecurity practices, corporate culture, and transparency regarding its knowledge of the targeted breach, which affected several US agencies dealing with China.
The review board concluded that Microsoft’s security culture was inadequate and in need of an overhaul, especially considering the company’s widespread use and critical role in the global technology ecosystem. Microsoft products are fundamental to essential services supporting national security, the economy, and public health and safety.
The panel stated that the intrusion, discovered by the State Department in June and dating back to May, “was preventable and should never have occurred.” It attributed the success of the breach to “a cascade of avoidable errors.” Additionally, the board noted that Microsoft is still uncertain about how the hackers gained access.
The panel’s recommendations were comprehensive, including a suggestion for Microsoft to temporarily halt the addition of features to its cloud computing environment until “substantial security improvements have been made.”
The panel recommended that Microsoft’s CEO and board implement “rapid cultural change,” including publicly disclosing “a plan with specific timelines for implementing fundamental, security-focused reforms across the company and its entire range of products.”
Microsoft stated that it valued the board’s investigation and would “continue to strengthen all our systems against attacks and deploy even more robust sensors and logs to assist us in detecting and repelling the cyber adversaries.”
The report, spanning 34 pages, revealed that state-backed Chinese hackers infiltrated the Microsoft Exchange Online email of 22 organizations and over 500 individuals worldwide. Among the victims were US Ambassador to China Nicholas Burns, with the hackers accessing some cloud-based email boxes for at least six weeks. They downloaded approximately 60,000 emails from the State Department alone. Additionally, the compromise affected three think tanks and four foreign government entities, including the UK’s National Cyber Security Center.
The board, assembled by Homeland Security Secretary Alejandro Mayorkas in August, accused Microsoft of making inaccurate public statements regarding the incident. For instance, Microsoft issued a statement in September stating it believed it had identified the likely root cause of the intrusion, which was not the case. Despite repeated inquiries from the board, Microsoft did not update this misleading blog post until mid-March.
The board also raised concerns about another hack revealed by the Redmond, Washington-based company in January. This incident involved the compromise of email accounts, including those belonging to an unspecified number of senior Microsoft executives and customers, and was attributed to state-backed Russian hackers. The board criticized what it perceived as “a corporate culture that deprioritized both enterprise security investments and rigorous risk management.”
The Chinese hack was first disclosed by Microsoft in July through a blog post and was attributed to a group known as Storm-0558. The panel highlighted that this group has been involved in similar intrusions since at least 2009, targeting companies such as Google, Yahoo, Adobe, Dow Chemical, and Morgan Stanley. They typically compromise cloud providers or steal authentication keys to access accounts.
Microsoft acknowledged in its statement that the hackers are “well-resourced nation-state threat actors who operate continuously and without meaningful deterrence.” The company stated that recent events have shown the need to adopt a new culture of engineering security within its own networks. As a result, it has mobilized its engineering teams to identify and mitigate legacy infrastructure, improve processes, and enforce security benchmarks.
