Microsoft Admits Security Failings Allowed China to Access US Government Emails

Written by

Microsoft President Brad Smith had admitted security failings by the firm in enabling Chinese state hackers access the emails of US government officials in the summer of 2023.

In testimony at Congress to members of the US House Committee on Homeland Security on June 13, 2024, Smith said the tech giant accepts responsibility for all the issues cited in a Cyber Safety Review Board (CSRB) report “without equivocation or hesitation.”

The CSRB report, published in April 2024, blamed Microsoft for a “cascade of security failures” that enabled Chinese threat actor Storm-0558 to access the email accounts of 25 organizations, including US government officials.

To launch the espionage attack, Storm-0558 forged authentication tokens using an acquired Microsoft encryption key, which, when combined with another flaw in Microsoft’s authentication system, allowed them to gain full access to essentially any Exchange Online account anywhere in the world.

The CSRB investigation found an inadequate security culture at Microsoft, and also identified gaps within the firm’s mergers and acquisitions (M&A) security compromise assessment and remediation process, among other errors that allowed the attackers to succeed.

The report also set out 25 cybersecurity recommendations to Microsoft and all other cloud service providers to prevent this type of intrusion occurring again.

Microsoft’s “Unique and Critical” Cybersecurity Role

In his opening statement to the Congress committee, Smith recognized Microsoft’s “unique and critical cybersecurity role,” not only to its customers but for the US and allied nations.

“This role reflects the wide range of products and services Microsoft provides to individuals and organizations, including cloud services that operate through data centers located in 32 countries around the world. It also reflects the broad cybersecurity work we undertake every day, including for and in close collaboration with the US and numerous allied governments,” stated Smith.

He noted that expanding and intensifying geopolitical conflicts, such as the Russia-Ukraine war, has created a more dangerous cyberworld. In particular, there has been more prolific, well-resourced, and sophisticated cyberattacks by Russia, China, Iran, and North Korea in the 28 months since the war began.

Smith added: “By any measure, lawless and aggressive cyber activity has reached an extraordinary level. During the past year, Microsoft detected 47 million phishing attacks against our network and employees. But this is modest compared to the 345 million cyber-attacks we detect against our customers every day.”

He also said that Microsoft apologizes and expressed its deepest regrets to those impacted by the Storm-0558 attack, including government officials.

Commitment to Strengthen Cybersecurity Protections

Microsoft will use the CSRB report as an opportunity and foundation to strengthen its cybersecurity protection across the board, according to Smith.

The tech giant is taking action to implement every one of the 16 recommendations that specifically apply to Microsoft.

Smith revealed the firm is in the process of transitioning its consumer and enterprise identity systems to a new hardened key management system that leverages hardware security modules for the storage and generation of keys.

It is also rolling out proprietary data and corresponding detection signals at all places where tokens are validated.

Smith added that Microsoft’s senior leadership team has reviewed its security culture in light of the CSRB report, and has communicated a “north star” to employees to make security the top priority at the company, above all else. This includes prioritizing it above releasing new features or providing ongoing support for legacy systems.

Microsoft has added 1600 more security engineers this fiscal year, and will add another 800 new security positions in its next fiscal year to help resource this cultural change.

Additionally, Smith said Microsoft has created the Office of the CISO with senior-level Deputy CISOs to expand oversight of the various engineering teams to assess and ensure that security is “baked into” engineering decision-making and processes.

Smith also highlighted the Microsoft’s Secure Future Initiative (SFI) in his testimony, which launched in November 2023. This initiative is designed to evolve the way Microsoft designs, tests and operates its products and services to ensure they have secure by design and default principles built in.

“In sum, we accept responsibility for the past and are applying what we’ve learned to help build a more secure future. We are pursuing new strategies, investing more resources, and fostering a stronger cybersecurity culture,” Smith commented.

Microsoft Delays Roll-Out of Windows Recall Feature

Shortly after Smith’s testimony on June 13, Microsoft announced it will delay the planned roll out of its Recall AI feature for Copilot and Windows PCs, following feedback from its Windows Insider Community.

The company said in a blog that  Recall will now shift from a preview experience broadly available for Copilot+ PCs on June 18, 2024, to a preview available first in the Windows Insider Program (WIP) in the coming weeks.

This is to allow time to conduct further security testing of the AI-powered feature.

This follows significant privacy concerns over Recall, which will be used to continually record users’ devices, including sensitive information, to allow users to search back through their activities.

The update follows a Microsoft announcement on June 7 that it would give customers a clearer choice to opt-in to the feature.

Image source: Volodymyr Kyrylyuk  / Shutterstock.com

What’s hot on Infosecurity Magazine?