Cyber Safety Review Board Report Slams Microsoft Security Failures in Government Email Breach

Written by

Microsoft has been blamed for “cascade of security failures” that enabled Chinese threat actors to access US government officials’ emails in the Summer of 2023, an independent report has concluded.

The US Department of Homeland Security (DHS) published the Cyber Safety Review Board’s (CSRB) report into the incident on April 2, 2024, which found that the Microsoft Online Exchange intrusion was preventable and should never have occurred.

The CSRB also issued recommendations to Microsoft and all cloud service providers (CSPs) to ensure intrusion of this magnitude does not happen again.

Microsoft Online Exchange Intrusion Timeline

Microsoft first revealed the espionage attack by Chinese threat actor Storm-0558 in July 2023. 

A subsequent report by the tech giant in September 2023 provided further details into how the attackers gained access to the email accounts of 25 organizations, including US government officials.

This included the email accounts of Commerce Secretary Gina Raimondo and United States Ambassador to the People’s Republic of China R. Nicholas Burns.

Storm-0558 forged authentication tokens using an acquired Microsoft encryption key, which, when combined with another flaw in Microsoft’s authentication system, allowed them to gain full access to essentially any Exchange Online account anywhere in the world.

In August 2023, the DHS announced it would investigate Microsoft’s security practices in relation to the incident.

The CSRB obtained data from and conducted interviews with 20 organizations and experts including cybersecurity companies, technology companies, law enforcement, security researchers, academics, and several impacted organizations, to make its findings.

Multiple Security Failings at Microsoft

An Inadequate Security Culture

The CSRB found that Microsoft’s security culture was inadequate, based on a range of operational and strategic failings before and after the incident. This included numerous avoidable errors that allowed the attack to succeed and failing to correct, in a timely manner, incorrect public statements about how the incident occurred.

Storm-0558 obtained a Microsoft Services Account (MSA) cryptographic key that was issued in 2016, with the tech giant still unable to demonstrate how this was accessed.

The Board noted that Microsoft stopped its infrequent and manual rotation of consumer MSA keys in 2021 following a major cloud outage linked to the manual rotation process. It failed to create an automated alerting system to notify the appropriate Microsoft teams about the age of active signing keys in the consumer MSA service.

This enabled the Chinese threat actor to forge authentication tokens that allowed it to access email systems. Although this access should have been limited to consumer email systems, a previously unknown flaw allowed tokens to access enterprise email accounts, such as those at the US State and Commerce departments.

This flaw was caused by Microsoft’s efforts to address customer requests for a common OpenID Connect (OIDC) endpoint service that listed active signing keys for both enterprise and consumer identity systems.

Microsoft informed the CSRB that Storm-0558 had compromised its corporate network via an engineer’s account in 2021, but offered no specific evidence that this intrusion was linked to the 2023 Exchange compromise.

Microsoft said in a September 2023 blog that the group had obtained the key from a crash dump to which it had access during the 2021 compromise. However, this was only ever a theory, and Microsoft eventually updated the blog in March 2024 to confirm that it has not determined that this is how Storm-0558 obtained the key.

Gaps in M&A Security

The report also found this 2021 compromise highlighted gaps within Microsoft’s mergers and acquisitions (M&A) security compromise assessment and remediation process.

This is because the engineer whose credentials were compromised was previously employed by Affirmed Networks, acquired by Microsoft in April 2020. Following the acquisition, Microsoft supplied corporate credentials to the acquired engineer that allowed access to its corporate environment with the compromised device.

Other notable security failings by Microsoft highlighted in the report were:

  • The company failed to the detect the compromise of its cryptographic crown jewels on its own, only launching an investigation after the State department contacted the firm about the event
  • Microsoft did not maintain security practices that were in place at other CSPs. These include automated regular key rotation, storage of keys in segmented and isolated systems, and limiting the scope of keys
  • The disclosure of a separate incident in January 2024, in which the Russian state-sponsored group Midnight Blizzard compromised Microsoft’s systems, allowing access to highly-sensitive corporate email accounts, source code repositories and internal systems

Security Recommendations for Microsoft and Other CSPs

The CSRB set out a range of recommendations for Microsoft and all other CSPs to follow to prevent this type of intrusion occurring again. These include:

  • The CEO and board members should directly focus on the organization’s security culture, with Microsoft’s leadership sharing a plan to make fundamental, security-focused reforms across the company and its full suite of products
  • Consider deprioritizing feature developments across the company’s cloud infrastructure and product suite until substantial security improvements have been made
  • Take accountability for the security outcomes of their customers, making security a business priority
  • Offer granular logging as a core element of cloud offerings, rather than part of a paid package to customers’ core services
  • Revise and review logging and overall forensics capabilities around identity systems and other systems that enable environment-level compromise. CSPs should maintain sufficient forensics to detect exfiltration of this data
  • Engineer digital identity and credential systems to substantially reduce the risk of complete system compromise. These include technical mechanisms such as stateful tokens, automated frequent key rotation, per customer keys, common authentication libraries and secure key storage
  • Allow CISA to conduct an annual validation review of security practices being implemented
  • Develop robust compromise assessment and remediation processes for enterprises they acquire or merge with
  • CSPs should work with CISA to define and adopt a minimum standard for default audit logging in cloud services

Secretary of Homeland Security Alejandro N. Mayorkas, commented: “Nation-state actors continue to grow more sophisticated in their ability to compromise cloud service systems. Public-private partnerships like the CSRB are critical in our efforts to mitigate the serious cyber threat these nation-state actors pose.

“The Department of Homeland Security appreciates the Board’s comprehensive review and report of the Storm-0558 incident. Implementation of the Board’s recommendations will enhance our cybersecurity for years to come.”

CSRB Acting Deputy Chair, Dmitri Alperovitch, noted that the Storm-0558 group has been tracked for over 20 years, and has been linked to other high-profile cloud provide compromises in that time, such as Operation Aurora in 2009 and RSA SecureID in 2011.

“This People’s Republic of China affiliated group of hackers has the capability and intent to compromise identity systems to access sensitive data, including emails of individuals of interest to the Chinese government. Cloud service providers must urgently implement these recommendations to protect their customers against this and other persistent and pernicious threats from nation-state actors,” warned Alperovitch.

Image credit: IB Photography / Shutterstock.com

What’s hot on Infosecurity Magazine?