A damning report by a high-powered independent board has accused Microsoft of woeful security failings and misleading the public in the wake of a “preventable” cyberattack last year that targeted sensitive U.S. government emails.
The Cyber Safety Review Board (CSRB) spent seven months investigating Microsoft’s security systems after Chinese cyberespionage gang Storm-0558 compromised hundreds of Microsoft Exchange Online mailboxes, including those belonging to Secretary of Commerce Gina Raimondo and the U.S. Ambassador to China, Nicholas Burns.
“The Board concludes that this intrusion should never have happened. Storm-0558 was able to succeed because of a cascade of security failures at Microsoft,” the CSRB said in its 34-page report, released on Tuesday.
Storm-0558, which is linked to China’s top intelligence agency, the Ministry of State Security, was able to access more than 500 individual mailboxes belonging to 22 organizations by obtaining a signing key.
The CSRB described the key as “the cryptographic equivalent of crown jewels for any cloud service provider.” It berated the company, not just for its lax systems that allowed the key to be abused, but also for misleading the public over how the hackers accessed it.
In a post about the incident published last September, Microsoft claimed the key was exposed when the company’s consumer signing system crashed in April 2021, generating a “crash dump” which included the signing key.
According to the CSRB, soon after publishing the post Microsoft concluded it did not have evidence that the key had been exposed in the crash dump, but it took months, and repeated prompting from the board, before it eventually amended the post.
“The loss of a signing key is a serious problem, but the loss of a signing key through unknown means is far more significant because it means that the victim company does not know how its systems were infiltrated and whether the relevant vulnerabilities have been closed off,” the CSRB said.
“Left with the mistaken impression that Microsoft has conclusively identified the root cause of this incident, Microsoft’s customers did not have essential facts needed to make their own risk assessments about the security of Microsoft cloud environments in the wake of this intrusion.”
The board said its review had “identified a series of Microsoft operational and strategic decisions that collectively points to a corporate culture that deprioritized both enterprise security investments and rigorous risk management.”
The security culture at the world’s largest software vendor “was inadequate and requires an overhaul,” the report said.
In a statement responding to the report, Microsoft said it recognized the “need to adopt a new culture of engineering security in our own networks.” Microsoft adopted what it called its Secure Future Initiative, aimed at embedding security into the software development and testing process, since the Storm-0558 breach.
“While no organization is immune to cyberattack from well-resourced adversaries, we have mobilized our engineering teams to identify and mitigate legacy infrastructure, improve processes, and enforce security benchmarks,” the company said.
Russian threat group also breached Microsoft accounts
In January, Microsoft disclosed another concerning security breach: Russian threat group APT29 breached the company’s corporate email accounts including some belonging to senior executives and members of the cybersecurity and legal teams.
The CSRB said it was “troubled” that the January breach occurred months after the Storm-0558 attack.
“This additional intrusion highlights the Board’s concern that Microsoft has not yet implemented the necessary governance or prioritization of security to address the apparent security weaknesses and control failures within its environment and to prevent similar incidents in the future.”
The report said the ubiquity of Microsoft’s products and services made it one of the most important technology companies in the world, if not the most important.
“This position brings with it utmost and global responsibilities. It requires a security-focused corporate culture of accountability, which starts with the CEO, to ensure that financial or other go-to-market factors do not undermine cybersecurity and the protection of Microsoft’s customers.”
The CSRB was established by President Joe Biden in 2022 to review and assess significant cyber incidents. The Microsoft review was the board’s third. It previously investigated the Log4j security flaw and the Lapsus$ threat group.
