US Senator demands feds investigate Microsoft over China email and SolarWinds hack
Oregon Senator Ron Wyden is pushing three federal agencies to hold Microsoft accountable for security failures that led to two major hacking campaigns impacting multiple government offices – a recently discovered Chinese-led cyberespionage campaign and the infamous 2020 SolarWinds hack.
The Senator wrote a letter calling on the US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Trade Commission (FTC), and the Justice Department (DoJ) to 'take action' against the technology giant and hold Microsoft "responsible for its negligence."
“It goes without saying that foreign governments shouldn't be able to hack into the email accounts of US government officials,” Sen. Wyden tweeted to his followers Thursday after the Wall Street Journal first reported the story.
“I'm demanding the federal government investigate how Microsoft’s neglect of cybersecurity enabled this Chinese spying campaign,” the Senator said.
Earlier this month, Microsoft revealed that a China-based threat actor – dubbed Storm-0558 – had allegedly gained access to hundreds of thousands of government emails from top US officials, as well as those from nearly two dozen other organizations.
Microsoft had announced on July 12th that the Chinese hackers were able to get a hold of one of its digital encryption keys and take advantage of "a validation error in Microsoft code” to steal the emails for intelligence gathering.
“The hackers could create fake authentication tokens to impersonate users and gain access to Microsoft-hosted consumer accounts, even if a user’s account was protected with multi-factor authentication and a strong password,” Wyden wrote in the four-page letter.
The email accounts of US Commerce Secretary Gina Raimondo, the US Ambassador to China, and the Assistant Secretary of State for East Asia were all compromised in the Beijing-linked cyberespionage campaign.
Wyden, a democrat and also Chairman of the Senate Finance Committee, said "even with the limited details that have been made public so far, Microsoft bears significant responsibility for this new incident."
Wyden also pointed out that the Russian nation-state threat actors – known as Nobelium or Cozy Bear – responsible for the massive SolarWinds hacking campaign used a similar technique of removing encryption keys in the 2020 supply chain attack.
The Senator said that Microsoft failed to warn customers about the possibility of a breach if digital identity encryption keys were removed from the Microsoft software running on the organization’s servers, even though the company knew about the security risk since 2017.
“Microsoft never took responsibility for its role in the SolarWinds hacking campaign,” Wyden wrote.
“Instead, it blamed its customers for using the default logging settings chosen by Microsoft, and then blamed them for not storing the high-value encryption keys in a hardware vault,” he stated.
Wyden also accused Microsoft of using the SolarWinds incident as an opportunity to shamelessly promote its Azure cloud Active Directory (AD) identity system in its aftermath.
The letter went on to also point fingers at the Biden administration for failing to follow through on a review of the SolarWinds attacks that were supposed to have been carried out by a Cyber Safety Review Board created specifically for the task.
Holding all three federal agencies accountable, Wyden first wants CISA to push the Cyber Safety Board to complete its review of Microsoft’s negligent actions and the DoJ to examine whether Microsoft’s lax practices violated federal law.
Additionally, the Senator also requested the FTC determine if Microsoft’s privacy and data security practices had also violated federal laws, including “those prohibiting unfair and deceptive business practices.”
Part of the FTC investigation would require an examination of a 20-year-old consent decree requiring Microsoft to “establish and maintain a comprehensive information security program in writing that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers.”
The decree, which expired in December 2022, would have covered the Microsoft product services from which the encryption key was stolen.
A Microsoft spokesperson told the Wall Street Journal that the latest incident “demonstrates the evolving challenges of cybersecurity in the face of sophisticated attacks.”
Microsoft also said it would "work directly with government agencies on this issue and maintain our commitment to continue sharing information."
More from Cybernews:
Subscribe to our newsletter