According to a new report by a government-backed cybersecurity board, Microsoft’s security culture needs improvement, with the tech giant’s lax security measures resulting in a breach by a group of hackers associated with China last summer.
The Cyber Safety Review Board (CSRB), under the US Department of Homeland Security, highlighted a series of “avoidable errors” in Microsoft’s security systems, which allowed hackers from an espionage group linked to the Chinese government, known as Storm-0558, to infiltrate the company’s networks.
The report specifies that the hackers exploited various vulnerabilities in Microsoft’s authentication system, enabling them to access “virtually any Exchange Online account worldwide” due to insufficient protection of signing keys.
Consequently, senior US officials, including Commerce Secretary Gina Raimondo, US Ambassador to China R. Nicholas Burns, and Congressman Don Bacon, had their email accounts compromised.
Moreover, Microsoft failed to detect the compromised accounts independently, only becoming aware of the issue when alerted by a customer, as per the report.
Describing the intrusion as preventable, the CSRB emphasized the need for an overhaul of Microsoft’s security culture, given its pivotal role in the technology ecosystem and the trust customers place in its ability to safeguard their data and operations.
Responding to the findings, a Microsoft spokesperson acknowledged the necessity of a new security engineering culture within the company, emphasizing ongoing efforts to identify and address security vulnerabilities.
Additionally, the CSRB criticized Microsoft for initially misidentifying the root cause of the attack in a September 2023 announcement, with the correction issued only in March 2024, two months after admitting the error to the board.
Given Microsoft’s critical role in national security and the global economy, the CSRB stressed the urgency of addressing security vulnerabilities promptly and comprehensively.
