Case Studies

US review of Microsoft cloud compromise

by Mark Rowe

A hacking group associated with the government of the People’s Republic of China, known as Storm-0558, compromised Microsoft’s cloud last year, and struck ‘the espionage equivalent of gold’. That’s according to an official review of the Microsoft Exchange Online intrusion of summer 2023, released by the United States federal Department of Homeland Security (DHS).

The intrusion should never have happened, the review found. Storm-0558 was able to succeed because of ‘a cascade of security failures at Microsoft’. The mailboxes of 22 organisations (including ‘several’ in the UK) and 500 people were compromised; the email accounts of the likes of Commerce Secretary Gina Raimondo, and United States Ambassador to the People’s Republic of China R Nicholas Burns. Microsoft reported three affected UK accounts to the UK official National Cyber Security Centre (NCSC).

The review found Microsoft’s security culture was ‘inadequate’ and requiring an overhaul, ‘particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company’. In more detail, the report stated it had ‘identified a series of operational and strategic decisions that collectively point to a corporate culture in Microsoft that deprioritized both enterprise security investments and rigorous risk management. These decisions resulted in significant costs and harm for Microsoft customers’.

Communications of diplomats and other officials, commercial trade secrets and intellectual property, everyday emails; all are ‘in the cloud’. That makes cloud computing, as DHS Under Secretary of Policy and Cyber Safety Review Board (CSRB) Chair Robert Silvers put it, ‘some of the most critical infrastructure we have’. “It is imperative that cloud service providers prioritise security and build it in by design,” he said.

CSRB Acting Deputy Chair Dmitri Alperovitch meanwhile termed the intrusion as ‘brazen’, by hackers tracked by industry for 20 years and linked to similar 2009 and 2011 compromises. He said: “This People’s Republic of China affiliated group of hackers has the capability and intent to compromise identity systems to access sensitive data, including emails of individuals of interest to the Chinese government. Cloud service providers must urgently implement these recommendations to protect their customers against this and other persistent and pernicious threats from nation-state actors.”

This was the third such review by CSRB, set up in 2022. It found a failure by Microsoft to detect the compromise of its ‘cryptographic crown jewels’; instead the intrusion dated from May, and the US federal State Department detected anomalous activity on June 15, and notified Microsoft on June 16. Microsoft had failed to detect a compromise of an employee’s laptop from a recently acquired company prior to allowing it to connect to Microsoft’s corporate network in 2021. The firm made inaccurate public statements about the incident, and failed to correct them for months. In a separate incident, disclosed by Microsoft in January 2024, another (Russian) ‘nation-state actor’ accessed ‘highly-sensitive Microsoft corporate email accounts, source code repositories, and internal systems’.

The ‘crown jewels’ in IT terms are ‘signing keys’, used for secure authentication into remote systems. Microsoft does not know how or when the hackers got the key, which they used with another flaw in Microsoft’s authenticating to be able to access ‘any any Exchange Online account anywhere’. The report called for a public plan by Microsoft with specific timelines to make fundamental, security-focused reforms across the company and its full suite of products; and that Microsoft’s CEO should hold senior officers accountable for delivery. The report asked Microsoft to ‘deprioritize feature developments across the company’s cloud infrastructure and product suite until substantial security improvements have been made’. The report quoted a 2002 email to all staff by Microsoft’s founder and then-CEO, Bill Gates, on choosing security when faced with a choice of ‘adding features and resolving security issues’. The review added that ‘Microsoft has drifted away from this ethos and needs to restore it immediately’.

The document called on Microsoft and other cloud service providers to ‘take accountability for the security outcomes of their customers’. It did state that ‘technical mechanisms exist today across the industry that can, if broadly implemented, significantly reduce the likelihood of complete system-level compromise’. As for digital Identity standards, the report said that the ‘current ecosystem’ ‘does not provide the security necessary to counter modern threat actors’.

Microsoft in November launched a Secure Future Initiative (SFI), described by the firm as ‘a multi-year commitment advancing the way we design, build, test, and operate our technology’. Visit https://www.microsoft.com/en-us/security/blog/2024/03/06/enhancing-protection-updates-on-microsofts-secure-future-initiative.

The US Department of Homeland Security (DHS) meanwhile and European Commission’s Directorate General for Communications, Networks, Content, and Technology (DG CONNECT) announced an initiative to compare cyber incident reporting elements that will inform cyber incident reporting requirements by the US, and European Union (EU) under the NIS 2 Directive.

Related News

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing