DHS blames ‘cascade of security failures at Microsoft’ for China hack on US government

Microsoft still does not have a full understanding of how alleged Chinese government hackers breached its systems and accessed the emails of senior U.S. government leaders, according to a review by the Department of Homeland Security. 

In a 34-page report conducted by the Cyber Safety Review Board (CSRB), U.S. officials concluded that Chinese hackers, known as Storm-0558, were able to succeed “because of a cascade of security failures at Microsoft.” The CSRB report, which was dated March 20 and released publicly on Tuesday, was shared with President Joe Biden and Secretary of Homeland Security Alejandro Mayorkas. 

The CSRB was tasked with investigating a 2023 incident where apparent Chinese hackers gained access to the email accounts of U.S. Commerce Secretary Gina Raimondo, U.S. Ambassador to China Nicholas Burns and Daniel Kritenbrink, the assistant secretary of state for East Asia, ahead of their trip to China in June 2023.

In total, the hackers compromised the Microsoft Exchange Online mailboxes of 22 organizations and 503 individuals around the world — including officials at the Commerce Department, State Department and Congressman Don Bacon, a member of the House Taiwan Caucus. 

According to the CSRB, the threat actor “downloaded approximately 60,000 emails from the State Department alone.”

The CSRB concluded that the intrusion “should never have happened” and throughout their review, they “identified a series of Microsoft operational and strategic decisions that collectively point to a corporate culture that deprioritized both enterprise security investments and rigorous risk management.”

“The Board also concludes that Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations,” the report said, noting that on top of the operational failures, Microsoft did not detect the incident itself, relying instead on an initial notification from the State Department. 

The report lists dozens of security changes that Microsoft’s rivals — Google, Amazon and Oracle — have made to their cloud systems to avoid the kind of intrusions that occurred in this incident. It notes that before the CSRB finished its report, Microsoft announced another breach involving alleged Russian hackers. 

One of the most significant issues raised in the report is that after months of investigations, Microsoft still does not know how the hackers obtained a signing key that allowed them to have widespread access throughout Microsoft products. 

Signing keys allow hackers to grant themselves permission to access any information or systems within that key’s domain. The key, along with other flaws, allowed the hackers “to gain full access to essentially any Exchange Online account.”

Microsoft invalidated the stolen key on June 24 and believes this was effective because they saw Storm-0558 “attempt phishing and other methods to regain access to the email boxes it had previously compromised.”

But the CSRB slammed Microsoft for not only failing to provide the Commerce Department with the logging data that was requested for their investigation but for also waiting months to correct erroneous claims the company made in the fall that the security keys were obtained from a crash dump. 

The CSRB had multiple meetings with Microsoft demanding they provide the public with an updated notification explaining that the crash dump theory was not proven and may not be how the hackers obtained the key.

“By the conclusion of this review, Microsoft was still unable to demonstrate to the Board that it knew how Storm-0558 had obtained the 2016 MSA key,” the report said. “The Board further determines that Microsoft has no evidence or logs showing the stolen key’s presence in or exfiltration from a crash dump.”

The report also found that the hackers behind the Microsoft incident were also linked to the 2009 Operation Aurora targeting Google and the 2011 RSA SecureID compromises, CSRB Acting Deputy Chair Dmitri Alperovitch said in a statement. 

“This People’s Republic of China affiliated group of hackers has the capability and intent to compromise identity systems to access sensitive data, including emails of individuals of interest to the Chinese government,” Alperovitch said.

“Cloud service providers must urgently implement these recommendations to protect their customers against this and other persistent and pernicious threats from nation-state actors.”

The Chinese Embassy forcefully denied any involvement in the 2023 incident in a statement to Reuters last year.

Microsoft did not respond to specific questions about the assertions made in the report, only telling Recorded Future News that “recent events have demonstrated a need to adopt a new culture of engineering security in our own networks.” 

A spokesperson said Storm-0558 is an example of “well-resourced nation state threat actors who operate continuously and without meaningful deterrence.”

“We have mobilized our engineering teams to identify and mitigate legacy infrastructure, improve processes, and enforce security benchmarks,” the Microsoft spokesperson said. 

“Our security engineers continue to harden all our systems against attack and implement even more robust sensors and logs to help us detect and repel the cyber-armies of our adversaries. We will also review the final report for additional recommendations." 

CSRB recommendations for Microsoft

The report includes dozens of recommendations it wants Microsoft to take into account as it looks to rebound from the incident. The board spoke with dozens of other cloud providers who listed off multiple ways they guard against the kind of stolen signing key attack Microsoft dealt with.

The CSRV said Microsoft’s customers would “benefit from its CEO and Board of Directors directly focusing on the company’s security culture and developing and sharing publicly a plan with specific timelines to make fundamental, security-focused reforms across the company and its full suite of products.”

Senior officers at Microsoft should be held accountable and the CSRB said Microsoft needs to “deprioritize feature developments across the company’s cloud infrastructure and product suite until substantial security improvements have been made in order to preclude competition for resources.”

Roger Cressey, a former senior national security official of the Clinton and Bush administrations, told Recorded Future News that the CSRB findings “confirm what the security community has known for years – Microsoft does not take its security responsibilities for our government seriously.” 

Microsoft's products and services have repeatedly been targeted and successfully exploited by our adversaries for years,” he said, calling the 2023 incident “Microsoft’s Boeing moment” — in reference to recent controversies around the airplane maker. 

“There must be real cultural and leadership changes. The U.S. government needs to reconsider its relationship with the company that dominates the public sector IT market but continually fails to fulfill its security obligations,” he said. 

“At a minimum, the CSRB report presents a clear case for putting a hold on any new contract awards to Microsoft until it demonstrates that it can be a dependable partner to the federal government. The Administration deserves kudos for its blunt assessment of Microsoft’s security failures; the next step is to use the government's procurement power to demand accountability and change from Microsoft.”