Microsoft Singled Out In Review Of Chinese Hack Of US Government Emails

Tom Jowitt,
Linkedin
security, hacking

Cyber Safety Review Board concludes Chinese hack of top US government officials’ emails was preventable, and blames Microsoft

Microsoft has been singled out by an official review in the United States into a high profile compromise of US governmental emails by Chinese hackers.

The U.S. Cyber Safety Review Board (CSRB) has published its findings and recommendations following its independent review of the summer 2023 Microsoft Exchange intrusion. It singled Microsoft out for its cybersecurity lapses and a lack of transparency.

It comes after US officials and Microsoft had acknowledged in July 2023 that hackers suspected to be allied to the Chinese government, had accessed the accounts of about 25 organisations, including the US Commerce and State Departments.

America US China - Shutterstock © Aquir

Storm-0558 hack

Microsoft then revealed that the attack group Storm-0558, affiliated with the People’s Republic of China, had used an acquired Microsoft account (MSA) consumer key to forge tokens to access OWA (Outlook Web Access) and Outlook.com.

China denied the hack (as it commonly does), but it emerged that the US State Department staff whose accounts were compromised mostly focused on Indo-Pacific diplomacy, and the hackers had obtained a list of all the department’s email accounts.

In August it emerged that Microsoft’s role in the breach of government officials’ email accounts by suspected Chinese hackers was to be officially investigated.

In October 2023 the US State Department confirmed the Microsoft hack was linked to China, and resulted in theft of about 60,000 emails from 10 accounts, including the US ambassador to China.

CSRB findings

Now the CSRB has published its findings which are to be delivered to President Joe Biden, and the report will make for uncomfortable reading for Microsoft bosses including CEO Satya Nadella.

“Individuals and organisations across the country rely on cloud services every day, and the security of this technology has never been more important,” said Secretary of Homeland Security Alejandro N. Mayorkas.

“Nation-state actors continue to grow more sophisticated in their ability to compromise cloud service systems,” said Secretary Mayorkas. “Public-private partnerships like the CSRB are critical in our efforts to mitigate the serious cyber threat these nation-state actors pose.”

“The Department of Homeland Security appreciates the Board’s comprehensive review and report of the Storm-0558 incident,” said Secretary Mayorkas. “Implementation of the Board’s recommendations will enhance our cybersecurity for years to come.”

The CSRB’s review found that the intrusion by Storm-0558, a hacking group assessed to be affiliated with the People’s Republic of China, was preventable.

It identified a series of Microsoft operational and strategic decisions that collectively pointed to a corporate culture that deprioritised enterprise security investments and rigorous risk management, at odds with the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations.

CSRB recommendations

The CSRB recommends that Microsoft develop and publicly share a plan with specific timelines to make fundamental, security-focused reforms across the company and its suite of products. Microsoft fully cooperated with the Board’s review.

Select recommendations include:

  • Cloud Service Provider Cybersecurity Practices: Cloud service providers should implement modern control mechanisms and baseline practices, informed by a rigorous threat model, across their digital identity and credential systems to substantially reduce the risk of system-level compromise.
  • Audit Logging Norms: Cloud service providers should adopt a minimum standard for default audit logging in cloud services to enable the detection, prevention, and investigation of intrusions as a baseline and routine service offering without additional charge.
  • Digital Identity Standards and Guidance: Cloud service providers should implement emerging digital identity standards to secure cloud services against prevailing threat vectors. Relevant standards bodies should refine, update, and incorporate these standards to address digital identity risks commonly exploited in the modern threat landscape.
  • Cloud Service Provider Transparency: Cloud service providers should adopt incident and vulnerability disclosure practices to maximize transparency across and between their customers, stakeholders, and the United States government.
  • Victim Notification Processes: Cloud service providers should develop more effective victim notification and support mechanisms to drive information-sharing efforts and amplify pertinent information for investigating, remediating, and recovering from cybersecurity incidents.
  • Security Standards and Compliance Frameworks: The US government should update the Federal Risk Authorisation Management Program and supporting frameworks and establish a process for conducting discretionary special reviews of the program’s authorised Cloud Service Offerings following especially high-impact situations.

“DHS is committed to efforts that meaningfully improve cybersecurity resilience and preparedness for our nation, and the work of the CSRB is reflective of our determination and dedication to this cause,” said CISA Director Jen Easterly.

“I am confident that the findings and recommendations from the Board’s report will catalyze action to reduce risk to the critical infrastructure Americans rely on every day,” said Easterly.

Microsoft response

Microsoft pointed out that no organisations can escape being targetted, but said that it has taken action to harden its systems.

“While no organisation is immune to cyberattack from well-resourced adversaries, we have mobilized our engineering teams to identify and mitigate legacy infrastructure, improve processes, and enforce security benchmarks,” Microsoft was quoted by Reuters as saying.

“Our security engineers continue to harden all our systems against attack and implement even more robust sensors and logs to help us detect and repel the cyber-armies of our adversaries. We will also review the final report for additional recommendations,” Microsoft reported added.

China hacking

Last week the United States and United Kingdom imposed new sanctions on China after accusing the country of sustaining a cyber-attack campaign lasting more than a decade, that targeted Western officials, journalists, corporations and pro-democracy activists, and the UK’s Electoral Commission.

New Zealand’s security minister also confirmed that hackers linked to the Chinese government had launched a state-sponsored operation that targeted New Zealand’s Parliament in 2021.

Last October the heads of Five Eyes intelligence agencies came together in a rare move to publicly accuse China of intellectual property theft and using AI for hacking.

five eyes hacking security
From left to right: Australian Security Intelligence Organisation Director-General Mike Burgess, Canadian Security Intelligence Service Director David Vigneault, FBI Director Christopher Wray, New Zealand Security Intelligence Service Director-General of Security and Chief Executive Andrew Hampton, and MI5 Director General Ken McCallum at the Emerging Technology and Securing Innovation Summit in Palo Alto, California, on 16 October, 2023. Image credit: FBI