Microsoft has been singled out by an official review in the United States into a high profile compromise of US governmental emails by Chinese hackers.
The U.S. Cyber Safety Review Board (CSRB) has published its findings and recommendations following its independent review of the summer 2023 Microsoft Exchange intrusion. It singled Microsoft out for its cybersecurity lapses and a lack of transparency.
It comes after US officials and Microsoft had acknowledged in July 2023 that hackers suspected to be allied to the Chinese government, had accessed the accounts of about 25 organisations, including the US Commerce and State Departments.
Microsoft then revealed that the attack group Storm-0558, affiliated with the People’s Republic of China, had used an acquired Microsoft account (MSA) consumer key to forge tokens to access OWA (Outlook Web Access) and Outlook.com.
China denied the hack (as it commonly does), but it emerged that the US State Department staff whose accounts were compromised mostly focused on Indo-Pacific diplomacy, and the hackers had obtained a list of all the department’s email accounts.
In August it emerged that Microsoft’s role in the breach of government officials’ email accounts by suspected Chinese hackers was to be officially investigated.
In October 2023 the US State Department confirmed the Microsoft hack was linked to China, and resulted in theft of about 60,000 emails from 10 accounts, including the US ambassador to China.
Now the CSRB has published its findings which are to be delivered to President Joe Biden, and the report will make for uncomfortable reading for Microsoft bosses including CEO Satya Nadella.
“Individuals and organisations across the country rely on cloud services every day, and the security of this technology has never been more important,” said Secretary of Homeland Security Alejandro N. Mayorkas.
“Nation-state actors continue to grow more sophisticated in their ability to compromise cloud service systems,” said Secretary Mayorkas. “Public-private partnerships like the CSRB are critical in our efforts to mitigate the serious cyber threat these nation-state actors pose.”
“The Department of Homeland Security appreciates the Board’s comprehensive review and report of the Storm-0558 incident,” said Secretary Mayorkas. “Implementation of the Board’s recommendations will enhance our cybersecurity for years to come.”
The CSRB’s review found that the intrusion by Storm-0558, a hacking group assessed to be affiliated with the People’s Republic of China, was preventable.
It identified a series of Microsoft operational and strategic decisions that collectively pointed to a corporate culture that deprioritised enterprise security investments and rigorous risk management, at odds with the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations.
The CSRB recommends that Microsoft develop and publicly share a plan with specific timelines to make fundamental, security-focused reforms across the company and its suite of products. Microsoft fully cooperated with the Board’s review.
Select recommendations include:
“DHS is committed to efforts that meaningfully improve cybersecurity resilience and preparedness for our nation, and the work of the CSRB is reflective of our determination and dedication to this cause,” said CISA Director Jen Easterly.
“I am confident that the findings and recommendations from the Board’s report will catalyze action to reduce risk to the critical infrastructure Americans rely on every day,” said Easterly.
Microsoft pointed out that no organisations can escape being targetted, but said that it has taken action to harden its systems.
“While no organisation is immune to cyberattack from well-resourced adversaries, we have mobilized our engineering teams to identify and mitigate legacy infrastructure, improve processes, and enforce security benchmarks,” Microsoft was quoted by Reuters as saying.
“Our security engineers continue to harden all our systems against attack and implement even more robust sensors and logs to help us detect and repel the cyber-armies of our adversaries. We will also review the final report for additional recommendations,” Microsoft reported added.
Last week the United States and United Kingdom imposed new sanctions on China after accusing the country of sustaining a cyber-attack campaign lasting more than a decade, that targeted Western officials, journalists, corporations and pro-democracy activists, and the UK’s Electoral Commission.
New Zealand’s security minister also confirmed that hackers linked to the Chinese government had launched a state-sponsored operation that targeted New Zealand’s Parliament in 2021.
Last October the heads of Five Eyes intelligence agencies came together in a rare move to publicly accuse China of intellectual property theft and using AI for hacking.
Fourth quarter results beat Wall Street expectations, as overall sales rise 6 percent, but EU…
Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…
Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…
Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…
Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…
Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…