CyberScoop reports that Chinese advanced persistent threat group Storm-0558's compromise of email accounts belonging to Commerce Secretary Gina Raimondo and other high-level officials was blamed by the Cyber Safety Review Board on Microsoft's inadequate enterprise security and risk management efforts.
High-profile email accounts were infiltrated by Storm-0558 through a signing key that had been exfiltrated from a "crash dump," an occurrence which could have been prevented if Microsoft had implemented key validation restrictions and automated key rotation, according to the CSRB report. M
icrosoft was also claimed to have provided misleading information regarding the incident after failing to immediately update initial assertions that the stolen key was not included a part of a crash dump.
"Left with the mistaken impression that Microsoft has conclusively identified the root cause of this incident, Microsoft's customers did not have essential facts needed to make their own risk assessments about the security of Microsoft cloud environments in the wake of this intrusion," said the report.
Such security deficiencies have prompted the board to conclude that Microsoft has "drifted away" from the security-first policy noted by company founder Bill Gates in a 2002 email.
