US chastises Microsoft for security flaws that enabled Chinese hack

US chastises Microsoft for security flaws that enabled Chinese hack.

In a scathing indictment of Microsoft corporate security and transparency, a Biden administration-appointed review board issued a report on Tuesday claiming that “a cascade of errors” by the tech giant allowed state-backed Chinese cyber operators to break into email accounts of senior US officials, including Gina Raimondo, the commerce secretary.

The Cyber Safety Review Board, established by presidential order in 2021, cites poor cybersecurity policies, a lax corporate culture, and a lack of honesty regarding the company’s awareness of the targeted hack, which affected various US agencies dealing with China.

It established that “Microsoft’s security culture was inadequate and requires an overhaul” given the company’s ubiquity and vital role in the global technology ecosystem. Microsoft’s products “underpin essential services that support national security, the foundations of our economy, and public health and safety” .

The panel stated that the infiltration, discovered by the state department in June and dated back to May, “was preventable and should never have occurred,” and attributed its success to “a cascade of avoidable errors.” Furthermore, the board stated that Microsoft has yet to determine how the hackers gained access.

The panel offered broad suggestions, including advising Microsoft to postpone adding capabilities to its cloud computing environment until “substantial security improvements have been made”.

What needs to be done.

It stated that Microsoft’s CEO and board should implement “rapid cultural change” by publicly disclosing “a plan with specific timelines to make fundamental, security-focused reforms across the company and its full suite of products”.

In a statement, Microsoft said it appreciated the board’s probe and that it will “continue to harden all of our systems against attack and implement even more robust sensors and logs to help us detect and repel our adversaries’ cyber-armies.”

In total, state-backed Chinese hackers gained access to the Microsoft Exchange Online email accounts of 22 organizations and over 500 individuals worldwide, including the US ambassador to China, Nicholas Burns, for at least six weeks and downloaded approximately 60,000 emails from the state department alone, according to the 34-page report. It stated three think tanks and four foreign government institutions, including Britain’s National Cyber Security Centre, had been compromised.

Must read also: AT&T dark web data leak of over 70 million customers.

In August, the board, constituted by Homeland Security Secretary Alejandro Mayorkas, accused Microsoft of making incorrect public comments about the event, including publishing a statement indicating it believed it had determined the likely root cause of the attack “when, in fact, it still has not”. Microsoft did not amend the inaccurate blog post, which was published in September, until mid-March, after the board repeatedly inquired if it planned to provide a correction, the company stated.

Separately, the board expressed concern about a separate hack disclosed by the Redmond, Washington-based company in January, involving email accounts belonging to an undisclosed number of senior Microsoft executives and an undisclosed number of Microsoft customers and attributed to state-backed Russian hackers.

Microsoft Stand on this issue

The company’s board criticized “a corporate culture that deprioritized both enterprise security investments and rigorous risk management”.

Microsoft first revealed the Chinese breach in a blog post in July, claiming that it was carried out by a group known as Storm-0558. The panel highlighted that the same gang has been conducting similar intrusions – compromising cloud providers or obtaining authentication keys to get access to accounts – since at least 2009, targeting corporations such as Google, Yahoo, Adobe, Dow Chemical, and Morgan Stanley.

According to Microsoft, the hackers engaged are “well-resourced nation-state threat actors who operate continuously and without meaningful deterrence”.

The business stated that recent occurrences “have demonstrated a need to adopt a new culture of engineering security in our own networks” and that it has “mobilized our engineering teams to identify and mitigate legacy infrastructure, improve processes, and enforce security benchmarks”.

Reading: US chastises Microsoft for security flaws that enabled Chinese hack