The U.S. Cyber Safety Review Board (CSRB) has criticized Microsoft for a series of security lapses that led to the breach of nearly two dozen companies across Europe and the U.S. by a China-based nation-state group called Storm-0558 last year.
The findings, released by the Department of Homeland Security (DHS) on Tuesday, found that the intrusion was preventable, and that it became successful due to a “cascade of Microsoft’s avoidable errors.”
“It identified a series of Microsoft operational and strategic decisions that collectively pointed to a corporate culture that deprioritized enterprise security investments and rigorous risk management, at odds with the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations,” the DHS said in a statement.
The CSRB also lambasted the tech titan for failing to detect the compromise on its own, instead relying on a customer to reach out to flag the breach. It further faulted Microsoft for not prioritizing the development of an automated key rotation solution and rearchitecting its legacy infrastructure to meet the needs of the current threat landscape.
The incident first came to light in July 2023 when Microsoft revealed that Storm-0558 gained unauthorized access to 22 organizations as well as more than more than 500 related individual consumer accounts.
Microsoft subsequently said a validation error in its source code made it possible for Azure Active Directory (Azure AD) tokens to be forged by Storm-0558 using a Microsoft account (MSA) consumer signing key, thus allowing the adversary to infiltrate the mailboxes.
In September 2023, the company divulged that Storm-0558 acquired the consumer signing key to forge the tokens by compromising an engineer’s corporate account that had access to a debugging environment hosting a crash dump of its consumer signing system that also inadvertently contained the signing key.
Microsoft has since acknowledged in a March 2024 update that it was inaccurate and that it has not still been able to locate a “crash dump containing the impacted key material.” It also said its investigation into the hack remains ongoing.
“Our leading hypothesis remains that operational errors resulted in key material leaving the secure token signing environment that was subsequently accessed in a debugging environment via a compromised engineering account,” it noted.
“Recent events have demonstrated a need to adopt a new culture of engineering security in our own networks,” a Microsoft spokesperson was quoted as saying to The Washington Post.
As many as 60,000 unclassified emails from Outlook accounts are believed to have been exfiltrated over the course of the campaign that began in May 2023. China has rejected accusations that it was behind the attack.
Earlier this February, Redmond expanded free logging capabilities to all U.S. federal agencies using Microsoft Purview Audit, irrespective of the license tier, to help them detect, respond, and prevent sophisticated cyber attacks.
“The threat actor responsible for this brazen intrusion has been tracked by industry for over two decades and has been linked to 2009 Operation Aurora and 2011 RSA SecureID compromises,” said CSRB Acting Deputy Chair Dmitri Alperovitch.
“This People’s Republic of China affiliated group of hackers has the capability and intent to compromise identity systems to access sensitive data, including emails of individuals of interest to the Chinese government.”
To safeguard against threats from state-sponsored actors, cloud service providers have been recommended to –
“The United States government should update the Federal Risk Authorization Management Program and supporting frameworks and establish a process for conducting discretionary special reviews of the program’s authorized Cloud Service Offerings following especially high-impact situations,” the CSRB said.