A scathing report released by the U.S. Cyber Safety Review Board (CSRB) has found that Microsoft could have prevented Chinese state-sponsored hackers from breaching the emails of U.S. government officials last year. The incident, which the CSRB described as a "cascade of security failures," exposed the Microsoft Exchange Online emails of 22 organizations and more than 500 people worldwide, including senior U.S. government officials working on national security matters.
The report, released late Tuesday by the U.S. Department of Homeland Security (DHS), concluded that the hack was "preventable" and that a series of operational and strategic decisions within Microsoft collectively led to "a corporate culture that deprioritized enterprise security investments and rigorous risk management." Among the U.S. government officials whose emails were compromised were Commerce Secretary Gina Raimondo and R. Nicholas Burns, the American ambassador to China.
According to the report, the Chinese hackers, known as Storm-0558, used an acquired Microsoft account (MSA) consumer key to forge tokens, granting them access to Outlook on the web (OWA) and Outlook.com. While Microsoft has stated that its leading hypothesis is that the key was stolen from a crash dump, the company has not been able to locate the specific crash dump containing the compromised key material.
The CSRB's investigation revealed that Microsoft acknowledged to the board in November that its September blog post, which outlined the crash dump theory, was inaccurate. However, the company only corrected the post months later on March 12th, after the board repeatedly questioned Microsoft about its plans to issue a correction. While the report notes that Microsoft fully cooperated with the investigation, it concludes that the company's security culture is inadequate and requires an overhaul.
"The Board finds that this intrusion was preventable and should never have occurred," the report states. "The Board also concludes that Microsoft's security culture was inadequate and requires an overhaul, particularly in light of the company's centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations."
The findings from the CSRB come at a time when Microsoft is launching its AI-powered chatbot, Copilot for Security, designed to assist cybersecurity professionals. The company is charging businesses $4 per hour of usage as part of a consumption model for this latest AI tool, even as it grapples with an ongoing attack from Russian state-sponsored hackers known as Nobelium.
Nobelium, the same group responsible for the SolarWinds attack, managed to spy on some Microsoft executive email inboxes for months, leading to the theft of some of the company's source code. Microsoft recently admitted that the group accessed its source code repositories and internal systems.
In response to the breach of U.S. government emails last year and similar cybersecurity attacks in recent years, Microsoft is now attempting to overhaul its software security through its new Secure Future Initiative (SFI). This initiative aims to transform how the company designs, builds, tests, and operates its software and services, marking the most significant change to Microsoft's security efforts since the introduction of its Security Development Lifecycle (SDL) in 2004.
The SDL was introduced after the devastating Blaster worm that hit Windows XP machines offline in 2003, and the SFI is seen as a necessary response to the increasing sophistication and frequency of cybersecurity threats. As Microsoft works to improve its security practices, the U.S. government and other organizations will be closely monitoring the company's progress, given its critical role in the technology ecosystem and the trust placed in it by customers worldwide.
