Microsoft's lax security blasted by investigators after serious breach

Cascade of failings allowed Chinese hackers to access government emails, says US review board

Microsoft's lax security blasted by investigators after serious breach

A damning report by the US Cyber Safety Review Board (CSRB), has revealed a "cascade of errors and security failures" at Microsoft which allowed a major breach of its systems last year.

The attack, which took place in summer 2023, saw China-linked threat actor Storm-0558 access the Microsoft Exchange Online mailboxes of 22 organisations and more than 500 individuals, including several government officials.

"This intrusion was preventable and should never have occurred, " said CSRB chair Robert Silvers. "Storm-0558 was able to succeed because of a cascade of security failures at Microsoft."

The Board found that Microsoft's security culture and inadequate controls were instrumental in allowing the threat actor to obtain sensitive customer data. The company failed to detect the breach, only taking action after being alerted by one of its customers, the US State Department. It had also failed to bring its systems up to date, in contrast with the practices of other major cloud providers.

"Microsoft had not sufficiently prioritised rearchitecting its legacy infrastructure to address the current threat landscape," the report says.

CSRB, which was set up by the Biden administration in 2021, also said that Microsoft was slow to respond after the breach had been discovered, and was inaccurate in its public statements, leaving customers unable to properly assess their risk.

"Microsoft's decision not to correct, in a timely manner, its inaccurate public statements about this incident...left [customers] with the mistaken impression that Microsoft has conclusively identified the root cause of this incident, Microsoft's customers did not have essential facts needed to make their own risk assessments," said CSRB.

The company has continued to drag its heels over full disclosure, it added: "[Microsoft] did not update that post until March 12, 2024, as the Board was concluding its review and only after the Board's repeated questioning about Microsoft's plans to issue a correction."

Storm-0558 stole the crown jewels

Storm-0558 accessed the Exchange Online email accounts using authentication tokens signed by a stolen key that Microsoft had created in 2016. The report describes signing keys as "the cryptographic equivalent of crown jewels for any cloud service provider," as they allow an attacker remote access to multiple different systems.

The key stolen by Storm-0558 should have been invalidated in 2021, but this did not happen owing to other changes that Microsoft was making to its infrastructure at the time. The key was not retired until 2023, after the attack had been discovered.

In a blog after the incident was made public, Microsoft said, inaccurately, that the Microsoft Account key had been stolen from a crash dump. It then failed to correct this statement. In fact, said CSRB "As of the date of this report, Microsoft does not know how or when Storm-0558 obtained the signing key."

Microsoft's corporate culture has historically "deprioritised both enterprise security investments and rigorous risk management," going back to the days of Bill Gates, CSRB found.

In a long list of recommendations for the tech giant, it urged a top down review of the company's security culture and said it should develop a plan with timelines for fundamental reforms.

It insisted that Microsoft should deprioritise feature developments until substantial security improvements have been made, and should make security a business priority.

Plus it said Microsoft needs to improve its security logging, forensics, IAM, and related systems, and that it needs to improve transparency about breaches in the future.

In a statement Microsoft said: "While no organisation is immune to cyberattack from well-resourced adversaries, we have mobilised our engineering teams to identify and mitigate legacy infrastructure, improve processes, and enforce security benchmarks."

Cyber threats are rising, and IT leaders need the latest information to stay ahead of the curve. Join us at the Cybersecurity Festival on 2nd May, where we bring together the most senior and influential voices from security leaders throughout the UK. Click here to secure your free place.