The US Cyber Safety Review Board (CSRB) has criticized Microsoft for a series of security failures that led to the breach of nearly two dozen companies in Europe and the United States by a nation-state group with based in China called Storm-0558 last year.
The findings, released Tuesday by the Department of Homeland Security (DHS), found that the intrusion was preventable and succeeded thanks to a “cascade of avoidable errors by Microsoft.”
“It identified a number of operational and strategic decisions by Microsoft that collectively indicated a corporate culture that deprivatized investment in corporate security and rigorous risk management, at odds with the company’s centrality to the technology ecosystem and the level of trust that customers trust the company to protect their data and operations,” the DHS said in a statement.
The CSRB also harshly criticized the tech titan for failing to detect the compromise itself, instead relying on the customer to report the breach. It also faulted Microsoft for not prioritizing the development of an automated key rotation solution and for not redesigning its legacy infrastructure to meet the needs of the current threat landscape.
The incident first came to light in July 2023, when Microsoft revealed that Storm-0558 had gained unauthorized access to 22 organizations and more than 500 related individual consumer accounts.
Microsoft later said that a validation error in its source code made it possible for Storm-0558 to spoof Azure Active Directory (Azure AD) tokens using a Microsoft Account (MSA) consumer signing key, allowing thus allowing the adversary to infiltrate inboxes.
In September 2023, the company disclosed that Storm-0558 acquired the consumer signing key to spoof tokens by compromising the corporate account of an engineer who had access to a debug environment hosting a crash dump of its signing system of the consumer which also inadvertently contained the signing key.
Microsoft has since acknowledged in a March 2024 update that it was inaccurate and that it was not yet able to locate a “crash dump containing the affected key material.” It also said its investigation into the hacking remains ongoing.
“Our primary hypothesis remains that operational errors led to key material leaving the secure token signing environment which was subsequently accessed in a debug environment via a compromised technical account,” he noted.
“Recent events have demonstrated the need to adopt a new culture of engineering security across our networks,” a Microsoft spokesperson told the Washington Post.
Around 60,000 unclassified emails from Outlook accounts are believed to have been stolen during the campaign which began in May 2023. China has rejected accusations that it was behind the attack.
In early February, Redmond extended free logging capabilities to all U.S. federal agencies using Microsoft Purview Audit, regardless of license level, to help them detect, respond to, and prevent sophisticated cyber attacks.
“The threat actor responsible for this brazen intrusion has been tracked by the industry for over two decades and has been linked to the 2009 Operation Aurora and the 2011 RSA SecureID compromises,” said CSRB Acting Vice President Dmitri Alperovitch.
“This PRC-affiliated hacking group has the ability and intent to compromise identity systems to access sensitive data, including emails of individuals of interest to the Chinese government.”
To protect against threats from state-sponsored actors, cloud service providers have been recommended to:
- Implement modern control mechanisms and basic practices
- Adopt a minimum standard for default audit logging in cloud services
- Incorporate emerging digital identity standards to secure cloud services
- Adopt incident and vulnerability disclosure practices to maximize transparency
- Develop more effective notification and support mechanisms for victims to promote information sharing efforts
“The US government should update the Federal Risk Authorization Management Program and supporting frameworks and establish a process to conduct discretionary special reviews of program-authorized cloud service offerings following particularly high-impact situations,” he the CSRB stated.