A Chinese-state intrusion last year of Microsoft Corp. technology that enabled hackers to gather US officials’ emails “should never have occurred,” according to a report released Tuesday from a government cyber review board.
The Cyber Safety Review Board, a White House-mandated group designed to examine major cyberattacks, said Microsoft displayed corporate practices that “deprioritized both enterprise security investments and rigorous risk management.” The company security culture was “inadequate” and “requires an overhaul,” the report said.
The review board examined the 2023 hack of Microsoft Exchange Online mailboxes, in which outsiders breached 22 organizations and hundreds of individuals. US Commerce Secretary Gina Raimondo; the US ambassador to China, Nicholas Burns; and Representative Don Bacon, a Nebraska Republican, were among those ensnared in the campaign.
A hacking group associated with the Chinese government known as Storm-0558 was behind the effort, the report said. Microsoft still has yet to determine how attackers infiltrated the company, according to the report.
Reviewers also determined that the company was slow to update misleading or inaccurate disclosures about the incident. In one case, Microsoft suggested in September 2023 that hackers had used a tool known as a digital certificate to steal emails. It wasn’t until November that the firm acknowledged to the board that its September disclosure was “inaccurate,” according to the report.
Microsoft said it would review the report for additional recommendations.
“While no organization is immune to cyberattack from well-resourced adversaries, we have mobilized our engineering teams to identify and mitigate legacy infrastructure, improve processes and enforce security benchmarks,” a Microsoft spokesperson said.
While Microsoft is primarily known for its software for corporations and consumers, the Redmond, Washington-based company has emerged as the biggest provider of cybersecurity products in recent years — an area of the business that’s grown to about $20 billion annually.
US Senator Ron Wyden, who called for the probe, said that federal agencies share some of the blame for the breach “for showering Microsoft with billions of dollars in government contracts, without demanding the company meet minimum cybersecurity standards.”
“The government’s dependence on Microsoft poses a serious national security threat, which requires strong action,” the Democrat from Oregon said in a statement. “The government must set strict, minimum cybersecurity standards for technology vendors, adherence to those standards must be verified through independent audits, and companies and their senior executives that violate those standards must be held accountable.”