Recent Chinese state-sponsored hacking of Microsoft email users, including leading U.S. officials, will be the focus of a review by the Department of Homeland Security’s Cyber Safety Review Board (CSRB).
Microsoft faced strong criticism last month after it revealed a hacking group had acquired and used a private encryption key to forge authentication tokens to access the cloud-based email accounts of more than 25 organizations.
Organizations targeted by the threat group, tracked as Storm-0558, reportedly included the U.S. State and Commerce departments, with Secretary of Commerce Gina Raimondo’s email account among those compromised.
In a statement on Friday, the DHS said the CSRB review would focus on approaches government, industry, and cloud service providers (CSPs) should employ to strengthen identity management and authentication in the cloud.
As well as looking into the Storm-0558 attacks, the board would carry out “a broader review of issues relating to cloud-based identity and authentication infrastructure affecting applicable CSPs and their customers,” the DHS said.
“The Board will develop actionable recommendations that will advance cybersecurity practices for both cloud computing customers and CSPs themselves.”
It will be the CSRB’s third investigation: its first report in 2022 focused on the Log4j security flaw and its second, made public last week, covered the Lapsus$ threat group.
News of the Microsoft/CSPs review was welcomed by Sen. Ron Wyden, D-Ore., who called for the CSRB to investigate the Storm-0558 attacks two weeks ago, and accused Microsoft of acting negligently by allowing its encryption methods to be compromised.
But in a statement, Wyden was also critical of the earlier direction taken by the CSRB, saying its first report should have investigated the SolarWinds campaign, as it was expected to do based on the 2021 executive order signed by President Joe Biden that led to the board’s establishment.
“Had the board studied the 2020 SolarWinds hack, as President Biden originally directed, its findings might have been able to shore up federal cybersecurity in time to stop hackers from exploiting a similar vulnerability in the most recent incident,” Wyden said.
“The government will only be able to protect federal systems against cyberattacks by getting to the bottom of what went wrong. Ignoring problems is both a waste of taxpayer dollars and a massive gift to America's adversaries.”
Rob Silvers, chair of the CSRB and undersecretary of Homeland Security for strategy, policy and plans, has previously said the board pivoted from SolarWinds to Log4j for its first report after discussions with the White House because it was felt that would be a more valuable initial investigation.
The CSRB does not have regulatory or enforcement powers, but is intended to be a body that identifies lessons from major cyber breaches so protections can be put in place.
Commenting on the Microsoft/CSPs review, Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency (CISA), said the security of cloud environments required a “persistent focus."
“The Board’s findings and recommendations from this assessment will advance cybersecurity practices across cloud environments and ensure that we can collectively maintain trust in these critical systems,” she said.
