Microsoft is criticised by the US for security flaws that allowed a Chinese hack

According to a federal report, the tech giant made a number of errors that allowed Chinese operators to access senior government officials’ email accounts.

A study critical of Microsoft’s corporate security and transparency was released on Tuesday by a review body that was appointed by the Biden administration. According to the study, the internet giant made “a cascade of errors” that gave state-backed Chinese cyber operators access to senior US officials’ email accounts, including Gina Raimondo, the secretary of commerce.

The executive order that formed the Cyber Safety Review Board in 2021 brought to light inadequate cybersecurity procedures, a lax corporate culture, and a semblance of opaqueness surrounding Microsoft’s knowledge of the targeted hack. Numerous US agencies that do business with China were impacted by the hack.

Considering Microsoft’s extensive use and pivotal role in the global technology ecosystem, the assessment determined that the company’s security culture was inadequate and required a significant reform. Products made by Microsoft “are the foundation of essential services that support national security, the economy, and public health and safety.”

The State Department discovered the infiltration in June, but it had been there since May, according to the panel, and it “could have been prevented and should never have happened.” It explained the breach’s success as “a series of avoidable errors.” The board also pointed out that Microsoft is still unsure of how the hackers obtained access.

Among the many suggestions given by the panel was that Microsoft hold off on adding new capabilities to its cloud computing environment until “significant security improvements” are implemented.

Microsoft stated that it appreciated the board’s investigation and would “continue to strengthen all our systems against attacks and implement even more robust sensors and logs to help us detect and repel our adversaries’ cyber armies.”

The report revealed that state-backed Chinese hackers infiltrated the Microsoft Exchange Online email of 22 organizations and over 500 individuals globally, including US Ambassador to China Nicholas Burns. The hackers accessed some cloud-based email boxes for at least six weeks and downloaded around 60,000 emails from the State Department alone. Three think tanks and four foreign government entities, including Britain’s National Cyber Security Center, were also compromised.

The board, convened by Homeland Security Secretary Alejandro Mayorkas in August, accused Microsoft of making inaccurate public statements about the incident. This included issuing a statement in September claiming it had identified the likely root cause of the intrusion, “when, in fact, it still has not.” Microsoft did not update this misleading blog post until mid-March, after the board repeatedly inquired about issuing a correction.

Concerns on a different hack that the Redmond, Washington-based company disclosed in January were also voiced by the board. The email accounts of several high-ranking Microsoft executives as well as an unknown number of Microsoft clients were compromised in this incident, which was linked to state-sponsored Russian hackers.

The board criticized “a corporate culture that placed less emphasis on enterprise security investments and thorough risk management.”

Microsoft first made public the Chinese attack in July via a blog post. The hack was executed by a group they named Storm-0558. According to the panel, this organisation has been collecting authentication keys to access accounts or compromising cloud providers in similar assaults since at least 2009. Companies including Google, Yahoo, Adobe, Dow Chemical, and Morgan Stanley have been their targets.

In its statement, Microsoft acknowledged that the hackers involved are “well-resourced nation-state threat actors who operate continuously and without significant deterrence.”

The company stated that recent events have highlighted the need to adopt a new culture of engineering security within its networks. It mentioned that it has mobilized its engineering teams to identify and mitigate legacy infrastructure, improve processes, and enforce security standards.