The intrusion, which ransacked the Microsoft Exchange Online mailboxes of 22 organizations and more than 500 individuals around the world, was “preventable” and “should never have happened,” the report concludes.
Perhaps most worryingly, the board report reveals that Microsoft still does not know how the Chinese carried out the attack.
In a statement to the Post, Microsoft said it appreciated the board's efforts.
“Recent events demonstrate the need to introduce a new culture of engineering security to our networks,” a Microsoft spokesperson said, noting that the company has launched a new initiative to do so. . “While no organization is immune to cyberattacks from well-resourced adversaries, we mobilize our engineering teams to identify and mitigate legacy infrastructure, improve processes, and improve security benchmarks. It was conducted.”
The report is the third and most significant review by an independent panel that investigates such incidents to help government officials and the broader security community better protect the nation's digital networks and infrastructure. . The board is comprised of government and industry experts and is chaired by Robert Silvers, Under Secretary for Policy at the Department of Homeland Security.
US intelligence agencies say the breach, discovered last June, was carried out on behalf of the Chinese government's top spy agency, the Ministry of State Security (MSS). The service has conducted extensive hacking operations, including the group behind the intrusion campaign called “Operation Aurora,” which was first publicized by Google in 2010.
In the 2023 Microsoft breach, MSS hackers exploited security gaps in the company's cloud to forge credentials and siphon emails from Cabinet members like Raimondo, US Ambassador to China Nicholas Burns, and other State Department officials. is now possible.
“Through this review, the Board identified a series of Microsoft operational and strategic decisions that collectively point to a company culture that deprioritizes both the company's security investments and rigorous risk management.” the commission said.
In other words, the report says the company's “security culture is inadequate and in need of a thorough review.”
The U.S. government relies on Microsoft as one of its largest providers of software and cloud services, with contracts worth billions of dollars annually.
One of the sharpest criticisms was directed at the company's public messaging about the incident. For months, Microsoft failed to correct inaccurate or misleading statements suggesting the breach was due to “crash dumps,” or residual data contained after a system crash, according to the commission's investigation. . In fact, the report states that Microsoft is still unsure whether this event led to a breach.
Microsoft finally amended its public safety statement on March 12, after repeated questions from its board about its plans to issue an amendment and after it became clear that the board was finalizing its consideration.
According to the paper, the board of directors “resolved inaccurate public statements about the incident, including a company statement saying Microsoft believed it had discovered what appeared to be the root cause of the breach, which in fact remains unsolved. It blames Microsoft's decision not to correct the issue in a timely manner. Report.
Microsoft's first statement about the intrusion was in July, when China-based attackers somehow obtained “signing” keys (digital certificates) that allowed hackers to forge user credentials and access Outlook. He pointed out that it made it possible to steal e-mails.
In an updated statement on September 6, Microsoft suggested that the hacker obtained the key by inadvertently including it in a crash dump, but that the key was not detected by the company's security systems.
However, in November, Microsoft admitted to its board that the September blog post was “inaccurate,” the report said.
Microsoft updated this post a few weeks ago. In this update, the Microsoft Security Response Center acknowledges that “no crash dumps containing affected key material were found.”
Microsoft, the world's most valuable company, has touted the strength of its cybersecurity for years, but has been plagued by embarrassing breaches in recent years. In early 2021, Chinese government-backed hackers compromised Microsoft Exchange email servers, putting at least 30,000 public and private companies in the United States and at least 200,000 businesses around the world at risk.
In January, Microsoft detected an attack on corporate email systems by the Russian foreign spy service SVR. The company said the spies infiltrated the testing department and from there accessed the emails of senior executives and security personnel. Microsoft warned its customer Hewlett-Packard Enterprise that it had been hacked as part of that campaign, and U.S. officials told The Post last month that dozens of other victims, including Microsoft resellers, had been hacked. He said he was there.
Taken together, “these things indicate that things are pretty broken,” said a person familiar with the board's findings. The person spoke on condition of anonymity because the report has not yet been made public.
The State Department discovered the breach in June and notified Microsoft, U.S. officials said. The report said authorities were able to detect the intrusion because they paid for higher-tier services that included audit logs, which helped them identify that the hackers had downloaded about 60,000 emails. , he points out. The company is currently offering its services free of charge to U.S. distributors after negotiating with federal authorities.
The report details what it calls the “avoidable cascade of errors.” For example, Microsoft wasn't aware of the existence of an old signing key from 2016 that should have been disabled but wasn't. “It was abandoned and forgotten for years,” said another. Part of the problem is that Microsoft was supposed to switch from manual key rotation to an automated system that minimizes the chance of human error. But that switch never happened. “They never prioritized solving the problem,” the first official said.
Another error was that the key worked on both business and consumer networks, violating standard protocols. “There were multiple points where there was a difference, even if it was just the basics,” said the second person.
The third error noted in the report was that Microsoft revealed that an engineer whose company was acquired in 2020 was working on a compromised laptop that had been given access to the corporate network in 2021. The company's security team was not aware of it. There is no evidence that the engineer's machine was the cause of the breach, according to a person familiar with the committee's findings, but Microsoft said in a March update that a “compromised engineering account” was a “likely” explanation for how the breach occurred. He suggested that it was a hypothesis.
The root cause may never be known, the report notes, but Microsoft did not properly assess the network security of the companies it acquired before allowing engineers to connect to their laptops. This is a fundamental failure to follow standard cybersecurity practices.
Microsoft cooperated with the board's investigation, the report said.
This report ends years of growing dissatisfaction with Microsoft among legislators, government officials, and industry experts. In 2020, Russian government hackers infiltrated network software company SolarWinds and targeted the emails of U.S. government employees. One way to steal email was to exploit a weakness in a Microsoft program that some companies use on their email servers to authenticate employees. The SolarWinds breach affected at least nine federal agencies and 100 private companies.
The following year, Microsoft President Brad Smith told senators that “customers who want the best security should move to the cloud.” By cloud, I mean the same cloud that was the victim of a Chinese hack last year: remote servers. In response to the breach, Sen. Ron Wyden (D-Ore.) sent a letter to multiple government agencies calling for them to hold Microsoft accountable for its pattern of failures.
The 2023 breach could have been even more widespread. Using the stolen keys, the hackers were 'able to mint authentication tokens' [credentials] It applies to nearly all online Microsoft accounts,” said a third party familiar with the matter. But they appear to have chosen to target specific people of interest, including the secretary of commerce, members of Congress and State Department officials responsible for China affairs, the people said.
The report highlights that major cloud providers such as Microsoft, Amazon, and Google are huge targets and need to improve further for everyone's benefit. “The entire industry will need to come together to dramatically improve identity and access infrastructure. …The world's security depends on it.”
We also make recommendations that address practices such as signing key handling and credential management.
One of the recommendations comes from the company's founder, Bill Gates, who wrote an email to employees in 2002. He emphasized that safety is the top priority. “Over the years, we have made our software and services more attractive to users by adding new features and functionality,” Gates said in his letter. None of that matters if customers can't trust the software, he said. “So now, when we have to choose between adding functionality and solving security problems, we must choose security,” he wrote.
The committee recommended that Microsoft heed Gates' strategy and consider holding off on introducing new features until security issues are resolved.
The independent nature of the commission means that no government agency, not the White House or the Department of Homeland Security, which creates the commission, can influence the report's findings or recommendations.
Jason Kikuta, former director of private sector partnerships and current chief information security officer for the U.S. Cyber Command, said, “The creation of something like this committee is essential to producing a reliable and unbiased assessment of Microsoft's actions.'' “It was necessary. This is a necessary step for accountability.” at IT software company Automox.
