The intrusion by a hacking group affiliated with the People’s Republic of China called Storm-0558 into the Microsoft Exchange Online service during the summer of 2023 could have been prevented, according to a report released by the Cyber Safety Review Board in late March.
The findings and recommendations within the report are based on a seven-month independent review conducted by the CSRB, which saw participation and cooperation from various stakeholders, including law enforcement organizations, cybersecurity companies, organizations that were impacted by the attack and Microsoft itself, the Department of Homeland Security said Tuesday.
The report attributes the success of Storm-0558’s hacking campaign to the inadequacy of the security culture within Microsoft as illustrated by a number of failures, including the company’s inability to detect the compromised status of an employee’s laptop, through which, it is believed, Storm-0558 managed to obtain Microsoft cryptographic signing keys.
With these keys, the hackers gained access to and exfiltrated information from Microsoft’s email service, compromising the accounts of numerous U.S. government officials, including that of Commerce Secretary Gina Raimondo, Rep. Don Bacon and U.S. Ambassador to the People’s Republic of China R. Nicholas Baum.
Illegal access to the email accounts is believed to have begun in May 15 but Microsoft would not initiate response efforts until June 16, after the Department of State notified the company of anomalous service activity.
To bring about change in Microsoft’s security culture, the report recommends that the company formulate and publicly disclose a plan on how it would reform its security practices, an effort to which senior officers would be held accountable. The report also recommends that, in the meantime, the company divert personnel to focus on product security improvements rather than feature development.
As for the broader industry, the report recommends, among other things, that cloud service providers implement modern control mechanisms as well as emerging digital identity standards. The report also calls for the adoption of a minimum standard for cloud service audit logging to facilitate the detection and investigation of intrusions.
Cyber experts, government leaders and industry visionaries will speak about the dynamic and evolving role of cyber in the public sector at the Potomac Officers Club’s 2024 Cyber Summit, which will take place in June. Register now to attend this important event!