Microsoft has refuted a Wiz report concluding that Chinese state-sponsored hacking of the email accounts of leading officials through a stolen encryption key was more widespread than originally believed, with a spokesperson noting the findings of Wiz to describe "hypothetical attack scenarios," CyberScoop reports.
However, Microsoft's technical team was noted by report co-author Shir Tamari to have corrected and approved the analysis, which other experts have also supported. Tamari estimated that the potential impact of the exploitation of the encryption key would be significant.
"In the case of a compromised signing key, the threat actor can sign those keys offline. So they can do it on their own workstations, and just send them directly to the target application," said Tamari.
Microsoft's statements come after it was accused by Sen. Ron Wyden, D-Ore., of negligence in its cybersecurity practices.
Both the Cybersecurity and Infrastructure Security Agency and Federal Trade Commission have also been urged by Wyden to investigate the incident.