DHS: Microsoft Exchange Attack Preventable, Corporate Culture 'Deprioritized' Security

A new federal report blames Microsoft for what it calls a “preventable” Microsoft Exchange intrusion by Storm-0558, a hacking group assessed to be affiliated with the People’s Republic of China.

The U.S. Department of Homeland Security (DHS) released the Cyber Safety Review Board’s (CSRB) findings and recommendations following its independent review of the intrusion, which was initially reported last July.

According to Microsoft's investigation, a Microsoft engineer’s compromised corporate account allowed Storm-0558 to gain access to email accounts as early as 2021 to spy on the U.S. State and Commerce departments, and other U.S. government agencies. Storm-0558 gained access to email accounts affecting about 25 organizations in the public cloud, including government agencies and consumers.

The CSRB obtained data from and conducted interviews with 20 organizations and experts, including cybersecurity companies, technology companies, law enforcement organizations, security researchers, academics, as well as several impacted organizations.

Corporate Culture Allowed Microsoft Exchange Intrusion

The CSRB’s review found that the Microsoft Exchange intrusion was preventable. It identified a series of Microsoft operational and strategic decisions that collectively pointed to a corporate culture that “deprioritized enterprise security investments and rigorous risk management, at odds with the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations.”

Related:After 'Mitigated' Microsoft Cyber Attack, Partners Mull Best Security Practices

The Board recommends Microsoft develop and publicly share a plan with specific timelines to make fundamental, security-focused reforms across the company and its suite of products. Microsoft fully cooperated with the board’s review.

DHS' Robert Silvers

“Cloud computing is some of the most critical infrastructure we have, as it hosts sensitive data and powers business operations across our economy,” said Robert Silvers, DHS under secretary of policy and CSRB chair. “It is imperative that cloud service providers prioritize security and build it in by design. The board has become the authoritative organization for conducting fact-finding and issuing recommendations in the wake of major cyber incidents, receiving extensive industry and expert input in each of its three reviews to date. We appreciate Microsoft’s full cooperation in the course of the board’s seven-month, independent review. We also appreciate the input received from 19 additional companies, government agencies and individual experts.”

Threat Actor Tracked for More than 20 Years

The threat actor responsible for this “brazen” intrusion has been tracked by the industry for more than 20 years and has been linked to 2009 Operation Aurora and 2011 RSA SecureID compromises, said Dmitri Alperovitch, CSRB acting deputy chair.

“This People’s Republic of China-affiliated group of hackers has the capability and intent to compromise identity systems to access sensitive data, including emails of individuals of interest to the Chinese government,” he said. “Cloud service providers must urgently implement these recommendations to protect their customers against this and other persistent and pernicious threats from nation-state actors.”

Microsoft sent us the following statement:

"We appreciate the work of the CSRB to investigate the impact of well-resourced, nation-state threat actors who operate continuously and without meaningful deterrence. As we announced in our Secure Future Initiative, recent events have demonstrated a need to adopt a new culture of engineering security in our own networks. While no organization is immune to cyberattack from well-resourced adversaries, we have mobilized our engineering teams to identify and mitigate legacy infrastructure, improve processes and enforce security benchmarks. Our security engineers continue to harden all our systems against attack, and implement even more robust sensors and logs to help us detect and repel the cyber-armies of our adversaries. We will also review the final report for additional recommendations."

‘Systemic Issues’ Within Microsoft

Javvad Malik, lead security awareness advocate at KnowBe4, said it's vital to “absorb the gravity” of what occurred.

“Microsoft is a cornerstone of global IT infrastructure, yet a cryptographic key wasn't rotated for seven years and laid poorly protected in legacy systems, allowing criminals high levels of access is troubling on many levels,” he said. “The CSRD report shed light on systemic issues within Microsoft, stating ‘Microsoft’s security culture was inadequate.’ This is a key point, and in the words of John R. Childress, ‘you get the culture you ignore.’ A strong security culture does not create itself, it is something that needs to be fostered and continually nurtured. Simply fixing what went wrong isn't enough. Rather, Microsoft needs to transform how security is valued and integrated at every level of the organization and with every individual."

For the broader tech community, it's a reminder of the interconnected world we live in, where the ripple effects of a breach or failure can extend far beyond the initial point of compromise, Malik said.

“As we advance technologically, our approach to security must also evolve, emphasizing proactive measures, transparency in the face of incidents, and a culture that views security as foundational, not ancillary,” he said.