The Department of Homeland Security (DHS) released a scathing review of Microsoft’s cybersecurity protocols on Tuesday, holding the cloud provider responsible for the exposure of high-ranking government officials’ emails. The review attributed the breach to “a series of security lapses at Microsoft,” indicating a dire need for an overhaul of the company’s security culture.
Robert Silvers, Chair of the Cyber Safety Review Board, emphasized the urgency for cloud service providers to prioritize security and integrate it into their systems from the outset. According to the report, Microsoft’s security culture was found lacking, resulting in the compromise of email accounts belonging to significant figures such as Commerce Secretary Gina Raimondo, U.S. Ambassador to China R. Nicholas Burns, and Congressman Don Bacon. The threat actor was able to access over 60,000 emails from the State Department alone.
The report categorically states that this breach was preventable and highlights the necessity for substantial changes to Microsoft’s security culture. Moreover, it criticizes Microsoft for issuing inaccurate public statements regarding the root cause of the attack, which remains unidentified to this day.
The attack was attributed to a hacker group associated with the People’s Republic of China, known as Storm-0558. Beginning as early as May 2023, the hackers exploited vulnerabilities in Microsoft’s token validation system, allowing them unrestricted access to virtually any Exchange Online account.
Upon detection of the breach on June 15, the State Department promptly informed Microsoft, prompting the involvement of the Federal Bureau of Investigation (FBI). Microsoft also notified a UK-based organization that had fallen victim to the same attack. By June 24, Microsoft managed to invalidate the stolen key used by Storm-0558.
Given the significance of the targeted government officials in U.S.-China relations, the timing and nature of the attack appear deliberate. The DHS board issued comprehensive recommendations for Microsoft to overhaul its security practices, including direct involvement from CEO Satya Nadella and the board of directors in enhancing the company’s security culture. Furthermore, the report underscores the importance of addressing security risks before implementing new features.
In response to the report, Microsoft has yet to provide a comment. However, the company’s handling of the situation, including its cooperation with authorities and notification of affected parties, will likely be under increased scrutiny in the coming days. The incident serves as a stark reminder of the critical importance of robust cybersecurity measures, especially in the context of cloud-based services handling sensitive government information.