A review board established by President Joe Biden is blaming Microsoft’s company culture for a hack that compromised the emails of more than 500 people including the Secretary of Commerce.
The Cyber Safety Review Board, which was created and appointed by President Joe Biden in 2021, said in a new report that China-based hackers were able to steal the data because of “the cascade of Microsoft’s avoidable errors.”
“The board finds that Microsoft had not sufficiently prioritized rearchitecting its legacy infrastructure to address the current threat landscape,” the report said.
The report is the culmination of an investigation into a major hack last year which saw suspected China-based hackers steal tens of thousands of emails from hundreds of critical accounts in the United States and other governments.
Among the email accounts breached were those of Commerce Secretary Gina Raimondo, U.S. Ambassador to China Nicholas Burns, Assistant Secretary of State Daniel Kritenbrink, and Rep. Don Bacon (R-Nebraska).
The hack was attributed by Microsoft to Storm-0558, which Microsoft described as a “China-based threat actor with espionage objectives.”
Some 60,000 emails were stolen from the U.S. State Department alone, and the hackers also accessed officials’ travel itineraries and captured a list of every State Department email address in the lead up to a visit to Beijing by Secretary of State Antony Blinken.
The report highlights how Microsoft initially believed the hack to have been made with stolen encryption keys, either taken from a stolen device or compromised account.
It was discovered much later, however, that Storm-0558 had forged its own security token from a stolen signing credential to access Microsoft cloud systems as far back as 2016.
“As of the date of this report, Microsoft does not know how or when Storm-0558 obtained the signing key.”
The report further condemns Microsoft leadership for delaying the retirement of authentication keys in 2021, which would have made the forged access keys useless.
Both Microsoft and the board reported that the hacking operation was part of a much broader state-backed plot by communist China.
Microsoft assessed the breach as part of “a targeted information-collection operation aimed at fulfilling [China’s] intelligence needs.”
“The board believes that the actor also prioritized high-value and time-sensitive collection missions,” the report said.
To that end, Microsoft believes that Storm-0558 limited the scope of this particular intrusion to limit the possibility of detection, but could have seized much more.
In the end, Microsoft invalidated the stolen key the threat actor was using, at which point Storm-0558 appeared to lose access to the breached accounts, as evidenced by immediate phishing attempts to regain access.
The board found Microsoft’s culture to be “inadequate” for ensuring in-depth security.
“The board also concludes that Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations,” the report said.
“[Microsoft’s position] requires a security-focused corporate culture of accountability, which starts with the CEO, to ensure that financial or other go-to-market factors do not undermine cybersecurity and the protection of Microsoft’s customers.”
From The Epoch Times