Microsoft Exchange state-linked hack entirely preventable, cyber review board finds
The state-linked intrusion on Microsoft Exchange Online that led to the theft of about 60,000 US State Department e-mails last summer “was preventable and should never have occurred”, according to the Cyber Safety Review Board.
A series of operational and strategic decisions by Microsoft pointed to a corporate culture that deprioritised investments in enterprise security and rigorous risk management, despite the central role the company plays in the larger technology ecosystem, a report said.
The CSRB urged Microsoft to publicly share its plans to make fundamental, security focused reforms across the company and its suite of products. The board also recommended that all cloud services providers and government partners enact security-focused changes.
The China-affiliated threat actor Microsoft identifies as Storm-0558 compromised the Microsoft Exchange Online mailboxes of 22 organisations and more than 500 individuals in the attacks, which began in May 2023.
The attacks compromised the individual mailboxes of key US officials, including Commerce Secretary Gina Raimondo, Representative Don Bacon, and Nicholas Burns, the US ambassador to China.
The report highlights the need to overhaul not only security practices within Microsoft, but the larger body of cloud services that serve a critical role for companies, government agencies and other organisations across the US.
“Cloud computing is some of the most critical infrastructure we have, as it hosts sensitive data and powers business operations across our economy,” Rob Silvers, under secretary of policy at the Dept of Homeland Security and chair of the CSRB. “It is imperative that cloud service providers prioritise security and build it in by design.”
Tenable CEO Amit Yoran, a long-time critic of Microsoft’s security practices, praised the work of the board and pointed to the need for industry-wide reforms.
“This is not some watered down, wishy-washy document full of government speak and platitudes,” Yoran said. “After a thorough investigation, this body of august experts issued a powerful document that should serve as a wake-up call to cloud providers that cyber security must be a priority.”
The State Department was alerted to the attack before Microsoft because it created a custom rule called ‘Big Yellow Taxi’ from a special Microsoft data log, according to the report. The State Department had a special G5 license in Microsoft Purview Audit, which provides enhanced logging for a premium price.
Microsoft was publicly rebuked by lawmakers for making customers pay extra for logging, which led the company to reverse its policies and offer enhanced logging for free in July 2023.
Microsoft announced plans in November to enact massive reforms in its security culture following public backlash over the attacks. Yet, the company’s security lapses were further exposed in January when it disclosed an attack by Midnight Blizzard, a Russia-linked threat group, that stole e-mails from top Microsoft executives through a password spray attack.
Microsoft thanked the CSRB for its work and acknowledged the need for significant changes in its security culture, as noted when it announced its Secure Future initiative.
“While no organisation is immune to cyber attack from well resourced adversaries, we have mobilised our engineering teams to identify and mitigate legacy infrastructure, improve processes and enforce security benchmarks,” a Microsoft spokesperson said via e-mail. “Our security engineers continue to harden all our systems against attack and implement even more robust sensors and logs to help us detect and repel the cyber armies of our adversaries.”
News Wires
Subscribers 0
Fans 0
Followers 0
Followers