Microsoft’s security culture needs improvement, a government-backed cybersecurity council says in a new report.
And the tech giant’s poor security allowed a group of hackers associated with China to hack into the company’s networks, including the emails of top U.S. officials, in a preventable attack last summer. according to the report.
The US Department of Homeland Security released the Cyber Safety Review Board (CSRB) report on Tuesday. In it, the board details a “cascade” of “preventable errors” in Microsoft’s security systems.
Specifically, the board said the hackers — a Chinese government-affiliated spy group called Storm-0558 — were able to exploit several flaws in Microsoft’s authentication system, allowing them to log in to “essentially n ‘any Exchange Online account anywhere in the world’. “
Because Microsoft failed to properly protect signing keys, hackers gained access to the email accounts of top U.S. diplomats, including Commerce Secretary Gina Raimondo, U.S. Ambassador to the People’s Republic of China R. Nicholas Burns and Congressman Don Bacon, the report says.
The report also faults Microsoft for failing to detect the compromised accounts itself and only realizing something was wrong when a customer reported a problem.
“The Board believes that this intrusion was preventable and should never have occurred,” the Cyber Safety Review Board wrote in its report. “The Board also concludes that Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s central role in the technology ecosystem and the level of trust customers place in the company to protect their data and operations.”
In a statement to Business Insider, a Microsoft spokesperson said that “recent events have demonstrated the need to adopt a new culture of security engineering in our own networks.”
“While no organization is safe from a cyberattack from well-resourced adversaries, we have mobilized our engineering teams to identify and mitigate existing infrastructure, improve processes and apply security criteria “said the Microsoft spokesperson.
The board also reprimanded Microsoft for announcing in September 2023 that it had found the root cause of the attack. But two months later, he admitted to the board that he was wrong about the cause — and didn’t update the ad to reflect that inaccuracy until March 2024, the report said.
The CSRB concluded that because Microsoft’s systems are critical to national security and the global economy, the company must promptly and substantially address its security vulnerabilities.
businessinsider
