The Department of Homeland Security issued a damning review of Microsoft’s cybersecurity practices on Tuesday, blaming the cloud provider for exposing the emails of high-ranking government officials. The review found Chinese-state affiliated hackers capitalized on “a cascade of security failures at Microsoft,” and says the company’s security culture “requires an overhaul.”
“It is imperative that cloud service providers prioritize security and build it in by design,” said the Cyber Safety Review Board Chair Robert Silvers in a press release.
The report cites issues with Microsoft’s corporate culture around security that led to this attack. The email accounts of Commerce Secretary Gina Raimondo, the U.S. Ambassador to China R. Nicholas Burns, and Congressman Don Bacon were compromised. The threat actor downloaded over 60,000 emails from the State Department alone, according to the report.
The board says this intrusion was “preventable and should never have occurred,” and that Microsoft’s security culture requires major changes. The damning report paints a picture of an internal mess behind the scenes at Microsoft. The DHS says Microsoft issued inaccurate public statements about the root cause of this attack, which according to the report, Microsoft has still not been able to identify.
Microsoft did not immediately respond to Gizmodo’s request for comment.
A hacker group affiliated with the People’s Republic of China, Storm-0558, was responsible for the attack. As early as May 2023, hackers compromised the mailboxes of government officials by stealing signing keys and utilizing a flaw in Microsoft’s token validation system. This allowed Storm-0558 full access to essentially any Exchange Online account, Microsoft’s hosted messaging platform.
On June 15, the State Department detected a data breach and notified Microsoft. At this point, the Federal Bureau of Investigations became involved, and Microsoft alerted an organization in the United Kingdom that they had been hit by the attack as well. By June 24, Microsoft was able to invalidate the stolen key Storm-0558 was using.
Many of the government officials hit in this attack have substantial responsibilities in maintaining the United States’ relationship with China, so it doesn’t seem to be a coincidence they were hit.
The DHS board issued sweeping recommendations that Microsoft revamp its security practices, including calling out CEO Satya Nadella and the board of directors to directly focus on the company’s security culture. The government review says these security risks should be appropriately addressed before new features are deployed.