Last year, Microsoft disclosed that a Chinese hacking group referred to as “Storm-0558” was responsible for a security breach that led to the access of the email accounts of around 25 organisations, including some US government agencies. The federal Cyber Safety Review Board has just released its report on the incident, identifying a “cascade of Microsoft’s avoidable errors that allowed this intrusion to succeed”. Ouch.
The Cyber Safety Review Board is composed of multiple officials from several US government departments including the Department of Homeland Security, the NSA and the FBI (via Ars Technica) and several industry leaders, and was tasked with creating the report [pdf] under a mandate from President Biden in response to the attack.
In a somewhat scathing review, the board found that not only were Microsoft’s security practices “lacking” in comparison to other cloud providers, but that public statements released surrounding the attack were “inaccurate” and not corrected in a timely manner.
Microsoft said at the time that a consumer signing key was acquired by Storm-0558 which was used to forge tokens for the cloud service that stores login keys, and that this was caused by a validation error in its codebase, later changing this explanation to a claim that an engineers account was hacked, and that “human errors” were to blame for allowing an expired signing key to be used to forge tokens.
However, the report revealed that Microsoft has still yet to determine the exact root cause of the breach, and noted that the company only updated its blog posts discussing the attack in March of this year, roughly at the same time the board was concluding its review and “only after the Boards repeated questioning about Microsoft’s plan to issue a correction”.
The attack itself was originally detected by State Department officials in June of last year, who then went on to notify Microsoft about the breach. The report cites that this was only possibly because the department had paid for a higher tier of Microsoft cloud services that allowed them to set up an alert for notable mail access—called rather charmingly “Big Yellow Taxi”—which was then triggered when the hackers attempted to download more than 60,000 emails.
In summation, the report makes several recommendations to prevent future security failings, including a renewed focus on security culture, a shift from the prioritisation of feature developments to security improvements, a move towards taking accountability for the security outcomes of customers, and a focus on providing customers with tools that allow them to detect, prevent or quantify a future intrusion.
“Microsoft’s products and services are ubiquitous. It is one of the most important technology companies in the world, if not the most important.”
“Unfortunately, throughout this review, the Board identified a series of operational and strategic decisions that collectively point to a corporate culture in Microsoft that deprioritized both enterprise security investments and rigorous risk management. These decisions resulted in significant costs and harm for Microsoft customers around the world. The Board is convinced that Microsoft should address its security culture.”
While this report is damning in its findings, Microsoft is not the only victim of the hacking group’s attempts to breach major security networks. Storm-0558 was noted as having a history of stealing authentication keys for cloud services from global providers, and making something of a menace of itself in the process.
Still, a significant slap on the wrist for Microsoft, and a summation that doesn’t hold back on its critique of its security practices. Given that Microsoft’s Azure cloud platform is used by vast numbers of major companies and institutions to handle potentially very sensitive data, this may serve as a wakeup call for the company to focus on security concerns in order to prevent customers from looking elsewhere.