Senator calls on DOJ to investigate alleged China hack of Microsoft cloud tools

A leading U.S. senator asked the Justice Department and several other agencies to investigate a recent hack of Microsoft-provided email accounts used by top government officials.

In a letter published on Thursday and first reported by the Wall Street Journal, U.S. Senator Ron Wyden (D-OR) asked the Justice Department, Federal Trade Commission and Cybersecurity and Infrastructure Security Agency (CISA) to investigate whether the security practices of Microsoft allowed alleged Chinese government hackers to breach the email accounts of several officials – including U.S. Commerce Secretary Gina Raimondo, U.S. Ambassador to China Nicholas Burns and Assistant Secretary of State for East Asia Daniel Kritenbrink — ahead of their trip to China last month.

“Government emails were stolen because Microsoft committed another error,” Wyden said. “Holding Microsoft responsible for its negligence will require a whole-of-government effort.”

Wyden asked CISA director Jen Easterly to have the Cyber Safety Review Board – which previously examined the Log4j issue and is now looking into the Lapsus$ hacks – to investigate the Microsoft incident.

In addition to studying Microsoft’s security practices in the situation, he urged the board to scrutinize how the tech giant’s missteps were not discovered during external audits that are required for government contractors.

Wyden also urged Attorney General Merrick Garland to “examine whether Microsoft’s negligent practices violated federal law.”

FTC chair Lina Khan was also asked to investigate whether Microsoft violated a cybersecurity consent decree and other federal privacy and data security laws in its handling of the incident.

Wyden, one of the few U.S. senators heavily involved in cybersecurity issues, excoriated Microsoft for its handling of the situation and claimed that the tech giant “never took responsibility for its role in the SolarWinds hacking campaign.”

“It blamed federal agencies for not pushing it to prioritize defending against the encryption key theft technique used by Russia, which Microsoft had known about since 2017,” Wyden said. “It blamed its customers for using the default logging settings chosen by Microsoft, and then blamed them for not storing the high-value encryption keys in a hardware vault.”

Wyden noted that in the aftermath of the SolarWinds controversy, Microsoft president Brad Smith told the Senate that those interested in “the best security should move to the cloud” – one of the company’s profit centers.

Wyden not only criticized Microsoft but also slammed the White House for not ordering the Cyber Safety Review Board to examine the SolarWinds incident – something several experts have also questioned since the board was created.

Wyden said he was rebuffed by both CISA and the Department of Homeland Security when he asked for the Cyber Safety Review Board to investigate SolarWinds.

“Had that review taken place, it is quite likely that Microsoft’s poor data security practices around encryption keys would have come to light, and this most recent incident might have been averted,” Wyden said.

CISA did not respond to requests for comment about Wyden’s letter. A Microsoft spokesperson said the incident “demonstrates the evolving challenges of cybersecurity in the face of sophisticated attacks.”

“We continue to work directly with government agencies on this issue, and maintain our commitment to continue sharing information at Microsoft Threat Intelligence blog,” the spokesperson said.

Concern about the email hack has only grown since Microsoft revealed what happened in several blog posts two weeks ago. Microsoft has already made significant changes to the system that was exploited and is now offering wider access to tools that would have helped victims identify the hack faster.

Researchers also noted last week that the encryption keys stolen by alleged Chinese hackers may have granted them even more access to other U.S. government systems – a claim Microsoft strenuously denied.

While Microsoft and National Security Agency Director of Cybersecurity Rob Joyce attributed the hack to Chinese government actors, the Chinese Embassy forcefully denied any involvement in the incident in a statement to Reuters.

On Wednesday, Newsweek reported that several other U.S. senators have asked the State Department to investigate the incident.