The board issued sweeping recommendations that if implemented would dramatically strengthen the openness and security of the booming cloud computing industry.
The intrusion, which ransacked the Microsoft Exchange Online mailboxes of 22 organizations and more than 500 individuals around the world, was “preventable” and “should never have occurred,” the report concludes.
Perhaps most concerning, the board report makes clear, Microsoft still does not know how the Chinese carried out the attack.
In a statement to The Post, Microsoft said it appreciated the board’s work.
A Microsoft spokesman said that “recent events have demonstrated a need to adopt a new culture of engineering security in our own networks,” noting that the company had created an initiative to do so. “While no organization is immune to cyberattack from well-resourced adversaries, we have mobilized our engineering teams to identify and mitigate legacy infrastructure, improve processes, and enforce security benchmarks.”
The report is the third and most significant review by the two-year-old independent board, which investigates such incidents so that government officials and the broader security community can better protect the nation’s digital networks and infrastructure. The board, made up of government and industry experts, is chaired by Robert Silvers, the Department of Homeland Security’s undersecretary for policy.
U.S. intelligence agencies say the breach, discovered in June, was carried out on behalf of Beijing’s top spy service, the Ministry of State Security (MSS). The service runs a vast hacking operation that includes the group that carried out the intrusion campaign dubbed Operation Aurora, which was first publicly disclosed in 2010 by Google.
The 2023 Microsoft intrusions exploited security gaps in the company’s cloud, allowing MSS hackers to forge credentials that enabled them to siphon emails from Cabinet officials such as Raimondo, as well as Nicholas Burns, the U.S. ambassador to China, and other top State Department officials.
“Throughout this review, the board identified a series of Microsoft operational and strategic decisions that collectively points to a corporate culture that deprioritized both enterprise security investments and rigorous risk management,” it said.
In other words, the report says, the firm’s “security culture was inadequate and requires an overhaul.”
The U.S. government relies on Microsoft as one of its largest providers of software and cloud services — contracts worth billions of dollars a year.
One of the sharpest rebukes is reserved for the company’s public messaging around the case. Microsoft, the board found, for months did not correct inaccurate or misleading statements suggesting the breach was due to a “crash dump,” or leftover data contained in the wake of a system crash. In fact, the report notes, Microsoft remains unsure if this event led to the breach.
Microsoft amended its public security statements only on March 12 after repeated questioning by the board about plans to issue a correction and when it was clear the board was concluding its review.
The board faults “Microsoft’s decision not to correct in a timely manner its inaccurate public statements about this incident, including a corporate statement that Microsoft believed it had determined the likely root cause of the intrusion when in fact, it still has not,” according to the report.
Microsoft’s initial statement about the intrusion was made in July, noting that a China-based adversary had somehow obtained a “signing” key — or digital certificate — allowing the hackers to forge users’ credentials and steal Outlook emails.
In a Sept. 6 statement update, Microsoft suggested that the hackers obtained the key through its inadvertent inclusion in the crash dump, which was not detected by the firm’s security systems.
However, in November, Microsoft acknowledged to the board that the September blog post “was inaccurate,” the report stated.
Microsoft updated the post a few weeks ago. In the update, the Microsoft Security Response Center admits that “we have not found a crash dump containing the impacted key material.”
After years of touting the strength of its cybersecurity, Microsoft — the world’s most valuable company — has been beset by recent embarrassing breaches. In early 2021, Chinese government-sponsored hackers compromised Microsoft Exchange email servers, putting at risk at least 30,000 public and private entities in the United States along with at least 200,000 worldwide.
In January, Microsoft detected an attack on its corporate email systems by the Russian foreign spy service, the SVR. The company said the spies broke into a testing unit, moving somehow from there into emails of senior executives and security personnel. Microsoft alerted its customer Hewlett-Packard Enterprise that it had been hacked as part of that campaign, and U.S. officials told The Post last month that there were dozens of other victims, including Microsoft resellers.
Taken together, “these are indications things are quite broken,” said one person familiar with the board’s findings, who like others spoke on the condition of anonymity because the report was not yet public.
The State Department detected the Chinese breach in June and informed Microsoft, according to U.S. officials. The report notes that the agency was able to detect the intrusion in part because it had paid for a higher tier of service that included audit logs, which helped determine that the hackers had downloaded some 60,000 emails. The company is now providing U.S. agencies that service free after negotiations with federal officials.
The report details what it calls a “cascade of avoidable errors.” For instance, Microsoft had not noticed the presence of an old signing key from 2016 that should have been disabled but wasn’t. “That one just sat for years, kind of forgotten,” a second person said. Part of the problem was that Microsoft was supposed to switch from a manual key rotation to an automated system that minimized the chance of human error. But that switch never happened. “They never prioritized fixing the problem,” the first person said.
Another error was that the key worked on both business and consumer networks, violating standard protocol. “There were multiple points where just basic things would have made a difference,” the second person said.
A third error noted in the report was that Microsoft security teams did not realize that an engineer whose firm had been acquired in 2020 was working on a compromised laptop that in 2021 was allowed to access the corporate network. According to people familiar with the board’s findings, there’s no evidence that the engineer’s machine was the cause of the breach, though Microsoft suggested in its March update that a “compromised engineering account” is the “leading hypothesis” for how the breach occurred.
The root cause may never be known, the report indicates, but Microsoft did not do an adequate assessment of the acquired firm’s network security before allowing the engineer to plug in his laptop — a basic failure to follow standard cybersecurity practice.
Microsoft cooperated with the board’s investigation, the report notes.
The report caps years of growing frustration with Microsoft among lawmakers, government officials and industry experts. In 2020, Russian government hackers penetrated the network software company SolarWinds to target emails of U.S. government agency employees. One way they stole emails was by exploiting weaknesses in a Microsoft program that some companies use on their own email servers to authenticate employees. The SolarWinds breach affected at least nine federal agencies and 100 private-sector companies.
The following year, Microsoft President Brad Smith told Senate lawmakers that customers who want “the best security should move to the cloud” — the same cloud, or remote servers, that fell victim to the Chinese hack last year. Following that intrusion, Sen. Ron Wyden (D-Ore.) wrote to several government agencies asking that they hold Microsoft accountable for its pattern of lapses.
The 2023 breach could have been far broader. With the stolen key, the hackers “could have minted authentication tokens [credentials] for pretty much any online Microsoft account,” a third person familiar with the matter said. But they apparently opted to target particular people of interest, such as the commerce secretary, a congressman and State Department officials who handle China issues, the person said.
The report emphasizes that big cloud providers, such as Microsoft, Amazon and Google, are enormous targets and must do better for everyone’s sake: “The entire industry must come together to dramatically improve the identity and access infrastructure. … Global security relies upon it.”
DHS officials said they would launch a major initiative and meet with the companies to push higher standards for security practices.
“The set of recommendations regarding cloud service provider transparency, whether it’s about vulnerabilities or incidents or security practices more generally, that is something the government as a customer is going to be doing more on,” said Eric Goldstein, executive assistant director of DHS’s Cybersecurity and Infrastructure Security Agency.
The report also makes recommendations that address practices such as handling signing keys and managing credentials.
One recommendation borrows from the company’s founder, Bill Gates, who in 2002 wrote an email to his staff emphasizing that security was a priority. “In the past,” Gates noted in his missive, “we’ve made our software and services more compelling for users by adding new features and functionality.” None of that matters unless customers can trust the software, he said. “So now, when we face a choice between adding features and resolving security issues, we need to choose security,” he wrote.
The panel recommended that Microsoft should heed Gates’s strategy and consider holding off on new features until it has fixed its security issues.
The panel’s independent nature means no government body — not the White House or the Department of Homeland Security, which houses the panel — can dictate the report’s findings or recommendations.
“It took the creation of something like this board to produce a credible and unbiased assessment of Microsoft’s behavior, which is a necessary step to accountability,” said Jason Kikta, former head of private-sector partnerships at U.S. Cyber Command and now chief information security officer at the IT software firm Automox.
