The US Department of Homeland Security (DHS) releases a critical assessment of Microsoft's security protocols following the Exchange Online breach in summer 2023, stating that security failures within Microsoft were linked to attacks by Chinese state-sponsored hacking group Storm-0558 We conclude that we have created the conditions that make it possible. Gain access to sensitive government emails and data.
An independent review by the Cyber Security Review Board (CSRB) released by DHS found the intrusion to be “preventable,” highlighting a worrying pattern of Microsoft underinvesting in enterprise security. became.
The report also pointed to deficiencies in Microsoft's public communications, with the company posting a September 2023 blog post detailing the root causes of the breach in March 2024 following persistent scrutiny from its board of directors. It is emphasized that it was only revised in February.
A targeted cyber attack on U.S. government email leveraged Microsoft-generated access tokens. In this operation, a China-based cyber threat group leveraged compromised Microsoft consumer account keys to create counterfeit tokens. These tokens were used to compromise his OWA and Outlook.com, allowing unauthorized access to sensitive email accounts.
“This People's Republic of China-affiliated hacker group has the ability and intent to compromise identity systems in order to access sensitive data, including personal email, that is important to the Chinese government,” CSRB Acting Vice Chairman Dmitri Alperovitch said in a news release. “I have this,” he said. “Cloud service providers (CSPs) must urgently implement these recommendations to protect their customers from such threats and persistent and harmful threats posed by nation-state actors.”
Microsoft said in a statement that it has begun addressing these issues with its Secure Future Initiative and will consider the board's recommendations. “While no organization is immune to cyberattacks from resource-rich adversaries, we mobilized our engineering teams to identify and mitigate legacy infrastructure, improve processes, and conduct security benchmarks. ” said a Microsoft spokesperson.
In its report, the CSRB recommends that Microsoft publish a detailed plan that includes a baseline timeline for company-wide security reforms. The report also suggests that all cloud service providers, not just Microsoft, stop charging customers for security logs.
The CSRB's recommendations cover a number of areas, starting with implementing modern control mechanisms and baseline practices across digital identity and credential systems. This report also highlights the importance of establishing minimum standards for default audit logging in cloud services.
“CSPs must maintain sufficient forensics to detect data exfiltration, including logging all access to these systems and private keys stored within them,” the report states. ing. We recommend that the log retention period covers the entire key lifetime and extends at least two years beyond the expiration date. High-value logs may require a longer retention period of 10 years.
To further strengthen security, the CSRB advises cloud service providers to adopt new digital identity standards. This report calls on relevant standards bodies to improve, update, and incorporate these standards into frameworks to better address the risks commonly exploited in the modern threat landscape. I am.
Transparency is another key focus of the CSRB's recommendations. This report challenges cloud service providers to adopt incident and vulnerability disclosure practices that maximize transparency between customers, stakeholders, and the U.S. government. Additionally, it was considered essential to develop more effective victim notification and support mechanisms.
The report also highlights the need for updates to the Federal Risk Authorization Management Program (FedRAMP) and its supporting framework. The CSRB recommends that the U.S. government establish a process to conduct special discretionary reviews of program-approved cloud service offerings, particularly in the aftermath of high-impact situations.
Additionally, the National Institute of Standards and Technology (NIST) is encouraged to incorporate feedback on observed threats and incidents related to cloud provider security into its guidelines and standards.
Secretary of Homeland Security Alejandro Mayorkas emphasized the critical importance of cybersecurity cooperation in the report, saying, “The security of this technology has never been more important.”
