US cyber board faults Microsoft for Chinese hack of gov officials

Microsoft 5 — Image by Gonzalo Fuentes | Reuters

The US Cyber Safety Review Board (CSRB) said a targeted Chinese hack of top government officials' emails last year was "preventable," faulting technology giant Microsoft for its cybersecurity lapses and a deliberate lack of transparency.

The CSRB released a report on the hack Tuesday, stating it had identified a series of decisions taken by Microsoft that had decreased enterprise security, risk management, and trust from the customers to protect their data and operations.

The email intrusion, which stemmed from the compromise of a Microsoft engineer's corporate account, was done by Storm-0558, a nation-state hacking group sponsored by the Chinese government.

"While no organization is immune to cyberattack from well-resourced adversaries, we have mobilized our engineering teams to identify and mitigate legacy infrastructure, improve processes, and enforce security benchmarks," Microsoft said in response to the report.

"Our security engineers continue to harden all our systems against the attack and implement even more robust sensors and logs to help us detect and repel the cyber-armies of our adversaries. We will also review the final report for additional recommendations,” Microsoft said.

Deep fact-finding

The 34-page CSRB report recommended that Microsoft develop and make security-focused reforms across all its products.

Chris Hickman, Chief Strategy Officer at digital security firm Keyfactor zeroed in on one of those products – a lost cryptographic key – as the cause of the breach.

Hickman believes the breach, which allowed Storm-0558 to steal hundreds of thousands of government emails, was completely avoidable.

“This is an imperative reminder that companies cannot, under any circumstances, keep keys lying around. Keys must be properly protected in an HSM or similar hardened devices. This does not go for some keys but ALL keys within an organization,” he said.

Cryptographic keys must be tracked, managed, and rotated frequently so that if a key is stolen, the threat actor only has access to that key for a small window of time, minimizing the damage, the CSO said, blaming Microsoft for its lack of enforcement of best practices.

“Ideally, an organization-wide machine identity management policy should require the people within the organization to properly manage and secure all the keys across their landscape,” Hickman explained.

“For example, if a key is stored in an HSM, a user should not be able to request a key that does not meet that policy,” he said.

According to Microsoft, who disclosed the breach in a July 2023 blog post, the hackers had exploited "a validation error in Microsoft code” using forged digital encryption keys.

The tech giant said Storm-0558 had gained access to emails from top US officials, including Commerce Secretary Gina Raimondo, US Ambassador to China Nicholas Burns, and Assistant Secretary of State for East Asia Daniel Kritenbrink, as well as nearly two dozen other organizations.

“The threat actor responsible for this brazen intrusion has been tracked by the industry for over two decades and has been linked to 2009 Operation Aurora and 2011 RSA SecureID compromises,” said CSRB Acting Deputy Chair Dmitri Alperovitch.

The CSRB also recommended a number of specific actions for all cloud service providers and government partners to take to help improve security and build resilience against nation-state attacks.

Recommendations to reduce risks of compromise included; implementing cloud service provider cybersecurity practices, audit logging norms, digital identity standards and guidance, cloud service provider transparency, victim notification processes, and security standards and compliance frameworks.

This is the third review completed by the CSRB since the Board was established in September 2021.