Cyberwarfare / Nation-State Attacks , Email Threat Protection , Fraud Management & Cybercrime
Report Slams Microsoft for Security Blunders in Chinese Hack
Hack Targeting Top Government Officials 'Was Preventable,' Scathing Report SaysMicrosoft committed a cascade of "avoidable errors" that permitted a Chinese hacking campaign last summer to successfully target top U.S. government officials' email accounts, according to a government-ordered review published Tuesday.
See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk
The Department of Homeland Security's Cyber Safety Review Board stated in a report about Chinese hackers' 2023 penetration of Microsoft Exchange Online that the tech giant engaged in a series of operational and strategic decisions that effectively deprioritized enterprise security investments and rigorous risk management (see: Hackers Stole Signing Key, Hit US Government's Microsoft 365).
Microsoft's inadequate security culture led to a targeted espionage campaign by the Chinese hacking group tracked as Storm-0558 that "was preventable and should never have occurred," the report said. The review board found that Microsoft failed to detect the compromise of a digital signing key created in 2016 and used to create authentication tokens. It also failed to detect the compromise of a Microsoft engineer's laptop in 2021 that ultimately allowed the targeted hacking to occur.
"Cloud computing is some of the most critical infrastructure we have, as it hosts sensitive data and powers business operations across our economy," DHS Under Secretary of Policy and CSRB Chair Robert Silvers said in a press release, adding: "It is imperative that cloud service providers prioritize security and build it in by design."
Chinese hackers penetrated the email inboxes of senior officials including Commerce Secretary Gina Raimondo, the U.S. ambassador to China and Rep. Don Bacon, a Nebraska Republican critical of Beijing. The hacking coincided with a mid-June visit to China by Secretary of State Antony Blinken that was delayed from earlier in 2023 after a Chinese surveillance balloon drifted across the continental United States.
The board recommended a comprehensive overhaul of Microsoft's security infrastructure, including a publicly shared plan with specific timelines to implement security-focused reforms. CSRB said Microsoft leadership should also consider directing teams across the company to deprioritize cloud infrastructure and product developments "until substantial security improvements have been made."
The 29-page report delves into the timeline of the attack, beginning in May 2023 when Storm-0558 first gained access to email accounts after the group hacked an engineer's compromised device two years earlier. The hacking group accessed Department of Commerce email accounts in early June. The Department of State's security operations center detected anomalous mail access later that month.
The CSRB report describes signing keys that provide secure authentication for remote systems as "the cryptographic equivalent of crown jewels for any cloud service provider" and added: "As occurred in the course of this incident, an adversary in possession of a valid signing key can grant itself permission to access any information or systems within that key's domain."
Microsoft last year said Chinese hackers were apparently able to obtain the digital signing key for authentication tokens after finding the key in a dump of crash data stored in the company's internet-connected network. The company in late March backed off that explanation, stating, "We have not found a crash dump containing the impacted key material."
"Microsoft does not know how or when Storm-0558 obtained the signing key," the report says.
The board called on all cloud service providers to implement modern control mechanisms and baseline security practices across their digital identity and credential systems and to adopt a minimum standard for default audit logging in cloud services to help enable detection of intrusions.
The report also recommends that providers develop more effective victim notification and support resources "to drive information sharing efforts and amplify pertinent information for investigating, remediating and recovering from cybersecurity incidents."
CSRB acting Deputy Chair Dmitri Alperovitch said in a statement that Storm-0558 "has the capability and intent to compromise identity systems to access sensitive data, including emails of individuals of interest to the Chinese government."
"Cloud service providers must urgently implement these recommendations to protect their customers against this and other persistent and pernicious threats from nation-state actors," he said.
The report also encourages the Federal Risk and Authorization Management Program to develop a framework for conducting discretionary special reviews of its cloud service offerings following high-impact situations.