Microsoft's Information Security Culture, Cloud Vulnerabilities To Blame For 2023 China-Linked Cyberattack, Says Federal Agency

The Cyber Safety Review Board (CSRB) of the Cybersecurity and Infrastructure Security Agency has found that Microsoft Corporation MSFT had security lapses that paved the way for a 2023 cyberattack. This incident resulted in the compromise of high-ranking US officials’ accounts.

What Happened: According to the CSRB report, a group with links to China, identified as “Storm-0558”, took advantage of inadequacies in Microsoft’s cloud security and infosec culture. This led to a breach of its Exchange Online hosted email service in June 2023. Following this, Microsoft and the federal government continued investigating the hack and understanding its full impact.

The report highlighted Microsoft’s key rotation practices for securing the Microsoft Services Account (MSA), which didn’t include an automatic signing of key rotation or deactivation process. The outdated system, launched during the early 2000s, proved ineffective when Microsoft stopped manually managing keys in 2021 after a major cloud outage.

See Also: Mark Cuban Jokes Zuckerberg Was ‘Just Trying To Get Laid’ As He Reveals The Secrets To Becoming A Billionaire

Storm-0558 exploited an old key from 2016 to access Microsoft’s public-facing Outlook Web Access. Owing to a system glitch, the group could use the key to break into enterprise email accounts, leading to the theft of nearly 60,000 emails from the US State Department, including sensitive diplomatic conversations and a list of employee emails.

According to the CSRB, Microsoft “did not accord security risk management the priority it deserved given the threat and the critical importance of Microsoft technology to more than one billion global customers.” It was stressed that the company’s “Secure Future Initiative” requires supervision from its top brass.

Why It Matters: Earlier in July 2023, Microsoft disclosed that Storm-0558 had breached email accounts connected to Western European government agencies, raising cybersecurity concerns. Later, Sen. Ron Wyden (D-Ore.) accused Microsoft of negligence in its cybersecurity practices and urged the Justice Department to hold the company accountable.

Read Next: Tesla CEO Elon Musk Reacts To Apple Co-Founder Steve Jobs On Finding Top Talent: ‘You Build Up These Pockets Of ‘A’ Players And It Propagates’