A high-profile Chinese state-backed cyberattack that allowed hackers to access the Microsoft email accounts of top government officials last year could have been easily prevented by the tech giant, a Department of Homeland Security assessment found Tuesday.
The Cyber Safety Review Board, established via executive order in 2021 to investigate major cyber incidents, says Microsoft made decisions that deprioritized its security and risk posture, which allowed a hacking group to access the email accounts of major officials including Commerce Secretary Gina Raimondo and U.S. Ambassador to China Nicholas Burns.
The hackers compromised the Microsoft Exchange mailboxes of 22 organizations and over 500 individuals, according to the CSRB report, which said that the intrusion was “preventable” and called Microsoft’s security culture “inadequate” for a provider that’s central to the global tech ecosystem.
The hacking collective responsible for the email compromise, designated by Microsoft as Storm-0558, has been tied to a series of cyberattacks that targeted U.S. companies, including Google between 2009 and 2010, as well as a 2011 incident targeting SecureID tokens.
The cyberattack against Microsoft mailboxes was carried out around the middle of last year after the hackers obtained a Microsoft account key and used it to forge legitimate authentication tokens, hauling off some 60,000 emails from the State Department, as well as communications from other victims.
The company initially said the key was inside a 2021 crash dump, which is spillover data that comes from a system crash. But that explanation, which the company reversed course on, got scrutiny from the board. Microsoft has updated its original July blog post about the incident several times. A recent March update said it has “not found a crash dump containing the impacted key material” despite its earlier claims.
“The loss of a signing key is a serious problem, but the loss of a signing key through unknown means is far more significant because it means that the victim company does not know how its systems were infiltrated and whether the relevant vulnerabilities have been closed off,” CSRB said.
The company had kept a signing key rotation system in place to prevent older keys from being hijacked, but “stopped the rotation entirely in 2021 following a major cloud outage linked to the manual rotation process,” said the findings. “While Microsoft had paused manual key rotation, it neither had, nor created, an automated alerting system to notify the appropriate Microsoft teams about the age of active signing keys” in the company’s consumer account service, it added.
CSRB also said the company did not update certain software developer kits that would have let system administrators differentiate certain signing keys, which could have helped detect hackers masquerading as real users in a network.
Microsoft in a press statement said that it appreciated the board’s work and will be reviewing its recommendations. The company also highlighted an initiative focused on mitigating its legacy infrastructure, process improvement and new security benchmarks.
The aftermath of the cyberattack led to several rounds of congressional scrutiny over the U.S. government’s heavy reliance on Microsoft products and services, which are used across Capitol Hill, federal agencies and the Defense Department. The company has secured billions of dollars worth of contracts with the government over the past decade, according to data from federal market intelligence provider GovTribe.
Microsoft was caught in another nation-state hacking reported earlier this year in which Kremlin-backed operatives were found to have stolen company source code and other valuable data using brute-force password guessing across multiple accounts.
“Microsoft’s products and services have repeatedly been targeted and successfully exploited by our adversaries for years,” said Roger Cressey, a former counterrorism and National Security Council staff in the White House. “The U.S. government needs to reconsider its relationship with the company that dominates the public sector IT market but continually fails to fulfill its security obligations.”