Microsoft’s security culture needs work, a government-backed cybersecurity board says in a new report.
And the tech giant’s lackluster security allowed a group of hackers associated with China to breach the company’s networks, including senior US officials’ emails, in a preventable attack last summer, the report says.
The US Department of Homeland Security released the report from the Cyber Safety Review Board (CSRB) on Tuesday. In it, the board details a “cascade” of “avoidable errors” in Microsoft’s security systems.
Specifically, the board said that the hackers — an espionage group affiliated with the Chinese government called Storm-0558 — were able to exploit several flaws in Microsoft’s authentication system, allowing them to sign in to “essentially any Exchange Online account anywhere in the world.”
Because Microsoft didn’t adequately protect the signing keys, the hackers gained access to the email accounts of senior US diplomats, including Commerce Secretary Gina Raimondo, United States Ambassador to the People’s Republic of China R. Nicholas Burns, and Congressman Don Bacon, the report says.
The report also blames Microsoft for not detecting the compromised accounts on its own and only realizing something was wrong when a customer reported a problem.
“The Board finds that this intrusion was preventable and should never have occurred,” the Cyber Safety Review Board wrote in its report. “The Board also concludes that Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations.”
In a statement to Business Insider, a spokesperson for Microsoft said “recent events have demonstrated a need to adopt a new culture of engineering security in our own networks.”
“While no organization is immune to cyberattack from well-resourced adversaries, we have mobilized our engineering teams to identify and mitigate legacy infrastructure, improve processes, and enforce security benchmarks,” the Microsoft spokesperson said.
The board also reprimanded Microsoft for announcing in September 2023 that it had found the root cause of the attack. But two months later it admitted to the board that it was wrong about the cause — and didn’t update the announcement to reflect that inaccuracy until March 2024, the report said.
The CSRB concluded that because Microsoft’s systems are essential to national security and the global economy, the company must fix its security vulnerabilities quickly and substantially.