A review board established by President Joe Biden is blaming Microsoft’s company culture for a hack that compromised the emails of more than 500 people, including the secretary of commerce.
“The board finds that Microsoft had not sufficiently prioritized rearchitecting its legacy infrastructure to address the current threat landscape,” the report reads.
The report is the culmination of an investigation into a major hack last year that saw suspected China-based hackers steal tens of thousands of emails from hundreds of critical accounts in the U.S. and other governments.
Among the email accounts breached were those of Commerce Secretary Gina Raimondo, U.S. Ambassador to China Nicholas Burns, Assistant Secretary of State Daniel Kritenbrink, and Rep. Don Bacon (R-Neb.).
The report highlights how Microsoft initially believed the hack to have been made with stolen encryption keys, either taken from a stolen device or compromised account.
However, it was discovered much later that Storm-0558 had forged its own security token from a stolen signing credential to access Microsoft cloud systems as far back as 2016.
“As of the date of this report, Microsoft does not know how or when Storm-0558 obtained the signing key,” the report reads.
The report also condemns Microsoft leadership for delaying the retirement of authentication keys in 2021, which would have made the forged access keys useless.
Both Microsoft and the board reported that the hacking operation was part of a much broader state-backed plot by communist China.
Microsoft assessed the breach as part of “a targeted information-collection operation aimed at fulfilling [China’s] intelligence needs.”
“The board believes that the actor also prioritized high-value and time-sensitive collection missions,” the report reads.
To that end, Microsoft believes that Storm-0558 limited the scope of this particular intrusion to limit the possibility of detection but could have seized much more.
In the end, Microsoft invalidated the stolen key that the threat actor was using, at which point Storm-0558 appeared to lose access to the breached accounts, as evidenced by immediate phishing attempts to regain access.
The board found Microsoft’s culture to be “inadequate” for ensuring in-depth security.
“The board also concludes that Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations,” the report reads.
“[Microsoft’s position] requires a security-focused corporate culture of accountability, which starts with the CEO, to ensure that financial or other go-to-market factors do not undermine cybersecurity and the protection of Microsoft’s customers.”