US reprimands Microsoft for security failures that allowed Chinese hack

In a scathing indictment of Microsoft’s corporate security and transparency, a Biden administration-appointed review board released a report Tuesday saying that “a cascade of mistakes” by the tech giant allowed state-backed Chinese cyber operators to break into e email accounts of senior US officials, including Commerce Secretary Gina Raimondo.

The Cyber ​​Safety Review Board, created by executive order in 2021, describes sloppy cybersecurity practices, a lax corporate culture and a lack of candor about the company’s knowledge of the targeted breach, which affected multiple U.S. agencies dealing with China to have.

It concluded that “Microsoft’s security culture was inadequate and in need of an overhaul” given the company’s pervasiveness and critical role in the global technology ecosystem. Microsoft products “support essential services that support national security, the foundations of our economy, and public health and safety.”

The panel said the intrusion, discovered in June by the State Department and dating back to May, was “preventable and should never have happened”, attributing its success to “a cascade of avoidable mistakes”. Moreover, the board still does not know how the hackers got in.

The panel made sweeping recommendations, including urging Microsoft to suspend adding features to its cloud computing environment until “substantial security improvements are made.”

It said Microsoft’s CEO and board must implement “rapid cultural change,” including publicly sharing “a plan with specific timelines to implement fundamental, security-focused reforms across the company and its full suite of products.”

In a statement, Microsoft said it appreciated the board’s investigation and would “continue to protect all of our systems from attacks and deploy even more robust sensors and logs to help us detect and counter our adversaries’ cyber armies.” to ward off”.

In total, the state-backed Chinese hackers broke into the Microsoft Exchange Online email of 22 organizations and more than 500 individuals around the world, including the US Ambassador to China Nicholas Burns – compromising for at least six weeks had access to some cloud-based email boxes. and downloading some 60,000 emails from the State Department alone, the 34-page report said. Three think tanks and four foreign government agencies, including the UK’s National Cyber ​​Security Center, were among the victims, the report said.

The board, which was convened in August by Homeland Security Secretary Alejandro Mayorkas, accused Microsoft of making inaccurate public statements about the incident, including issuing a statement saying it believed it had determined probable cause of the breach “when in fact it still isn’t.” Microsoft only updated this misleading blog post, published in September, in mid-March after the board repeatedly asked whether it planned to make a correction, the company said.

In addition, the board raised concerns about a separate hack disclosed in January by the Redmond, Washington-based company — affecting one of its email accounts, including those of an undisclosed number of senior Microsoft executives and an undisclosed number Microsoft customers, and attributed to state-backed Russians. hackers.

The board deplored “a corporate culture that prioritized investments in corporate security as well as rigorous risk management.”

The Chinese hack was initially disclosed by Microsoft in a blog post in July and carried out by a group the company calls Storm-0558. That same group, the panel noted, has been involved in similar intrusions since 2009 — compromising cloud providers or stealing authentication keys so they can break into accounts — targeting companies like Google, Yahoo, Adobe, Dow Chemical and Morgan Stanley are.

Microsoft noted in its statement that the hackers involved are “well-resourced national threat actors operating continuously and without meaningful deterrence.”

The company said it recognizes that recent events have “demonstrated the need to adopt a new culture of technical security in our own networks,” adding that it has “mobilized our engineering teams to identify and fix legacy infrastructure.” mitigation, improve processes and enforce security benchmarks” .