A hacking group associated with the government of the Peopleโs Republic of China, known as Storm-0558, compromised Microsoftโs cloud last year, and struck โthe espionage equivalent of goldโ. Thatโs according to an official review of the Microsoft Exchange Online intrusion of summer 2023, released by the United States federal Department of Homeland Security (DHS).
The intrusion should never have happened, the review found. Storm-0558 was able to succeed because of โa cascade of security failures at Microsoftโ. The mailboxes of 22 organisations (including โseveralโ in the UK) and 500 people were compromised; the email accounts of the likes of Commerce Secretary Gina Raimondo, and United States Ambassador to the Peopleโs Republic of China R Nicholas Burns. Microsoft reported three affected UK accounts to the UK official National Cyber Security Centre (NCSC).
The review found Microsoftโs security culture was โinadequateโ and requiring an overhaul, โparticularly in light of the companyโs centrality in the technology ecosystem and the level of trust customers place in the companyโ. In more detail, the report stated it had โidentified a series of operational and strategic decisions that collectively point to a corporate culture in Microsoft that deprioritized both enterprise security investments and rigorous risk management. These decisions resulted in significant costs and harm for Microsoft customersโ.
Communications of diplomats and other officials, commercial trade secrets and intellectual property, everyday emails; all are โin the cloudโ. That makes cloud computing, as DHS Under Secretary of Policy and Cyber Safety Review Board (CSRB) Chair Robert Silvers put it, โsome of the most critical infrastructure we haveโ. โIt is imperative that cloud service providers prioritise security and build it in by design,โ he said.
CSRB Acting Deputy Chair Dmitri Alperovitch meanwhile termed the intrusion as โbrazenโ, by hackers tracked by industry for 20 years and linked to similar 2009 and 2011 compromises. He said: โThis Peopleโs Republic of China affiliated group of hackers has the capability and intent to compromise identity systems to access sensitive data, including emails of individuals of interest to the Chinese government. Cloud service providers must urgently implement these recommendations to protect their customers against this and other persistent and pernicious threats from nation-state actors.โ
This was the third such review by CSRB, set up in 2022. It found a failure by Microsoft to detect the compromise of its โcryptographic crown jewelsโ; instead the intrusion dated from May, and the US federal State Department detected anomalous activity on June 15, and notified Microsoft on June 16. Microsoft had failed to detect a compromise of an employee’s laptop from a recently acquired company prior to allowing it to connect to Microsoftโs corporate network in 2021. The firm made inaccurate public statements about the incident, and failed to correct them for months. In a separate incident, disclosed by Microsoft in January 2024, another (Russian) โnation-state actorโ accessed โhighly-sensitive Microsoft corporate email accounts, source code repositories, and internal systemsโ.
The โcrown jewelsโ in IT terms are โsigning keysโ, used for secure authentication into remote systems. Microsoft does not know how or when the hackers got the key, which they used with another flaw in Microsoftโs authenticating to be able to access โany any Exchange Online account anywhereโ. The report called for a public plan by Microsoft with specific timelines to make fundamental, security-focused reforms across the company and its full suite of products; and that Microsoftโs CEO should hold senior officers accountable for delivery. The report asked Microsoft to โdeprioritize feature developments across the companyโs cloud infrastructure and product suite until substantial security improvements have been madeโ. The report quoted a 2002 email to all staff by Microsoftโs founder and then-CEO, Bill Gates, on choosing security when faced with a choice of โadding features and resolving security issuesโ. The review added that โMicrosoft has drifted away from this ethos and needs to restore it immediatelyโ.
The document called on Microsoft and other cloud service providers to โtake accountability for the security outcomes of their customersโ. It did state that โtechnical mechanisms exist today across the industry that can, if broadly implemented, significantly reduce the likelihood of complete system-level compromiseโ. As for digital Identity standards, the report said that the โcurrent ecosystemโ โdoes not provide the security necessary to counter modern threat actorsโ.
Microsoft in November launched a Secure Future Initiative (SFI), described by the firm as โa multi-year commitment advancing the way we design, build, test, and operate our technologyโ. Visit https://www.microsoft.com/en-us/security/blog/2024/03/06/enhancing-protection-updates-on-microsofts-secure-future-initiative.
The US Department of Homeland Security (DHS) meanwhile and European Commissionโs Directorate General for Communications, Networks, Content, and Technology (DG CONNECT) announced an initiative to compare cyber incident reporting elements that will inform cyber incident reporting requirements by the US, and European Union (EU) under the NIS 2 Directive.
