Microsoft logo on building showing security breach by Chinese hackers

DHS Finds 2023 Microsoft Security Breach Was Preventable, Chinese Hackers Took Advantage of Corporate Culture

A new report from the Department of Homeland Security’s (DHS) Cyber Safety Review Board (CSRB) has taken Microsoft to task for its culpability in the mid-2023 cyber attack by Chinese hackers that compromised government email accounts. The CSRB found that the security breach was preventable, and that a “a corporate culture that deprioritized enterprise security investments and rigorous risk management” ended up leaving open doors for the hackers.

Chinese hackers took advantage of compromised employee laptop, legacy infrastructure weaknesses

The review is the third such conducted by the CSRB since it was convened in 2022; the purpose of these reviews is to both inform the presidential administration and the interview subject of specific failings during a security breach and to make recommendations for defensive improvement. In the case of this particular report, CISA will be convening major cloud service providers and using the recommendations to develop general industry guidance.

The DHS investigation was announced in August 2023, about a month after public news broke of the Chinese hackers making their way into Microsoft Exchange Online accounts belonging to government officials (and some figures in private industry). The security breach was attributed to Storm-0558, a Chinese state-backed threat group with a history of espionage missions and one that is believed to have been active since at least 2004.

CSRB specifically criticized a series of “operational and strategic decisions” that it said was indicative of corporate cultural issues at Microsoft, with the company accused of deprioritizing enterprise security investment and neglecting risk management processes. The security breach had previously been described as a “cascade of failures,” something that was greatly expanded on with this report.

One of the central issues is that the means by which the Chinese hackers obtained a signing key is still unclear, nearly a year after the incident took place. Shortly after the security breach, Microsoft said that the attackers had compromised an engineer’s account and found the key inappropriately stored in the debugging environment, accessible via a crash dump. The company has since changed its story and said that it can find no evidence of the crash dump that the key was supposedly pulled from, though it still believes that a compromised engineer account somehow led to access of a key that had made its way outside of a safe environment.

The report also notes that Microsoft might have stopped the Chinese hackers if it had an automatic key rotation system in place. But it was not just technical issues that drew the ire of the CSRB: investigators also said that the company’s public statements on the issue were misleading and too slow to be updated to reflect new information. And the company apparently had no inkling of the security breach until a customer brought it to their attention.

Amit Yoran, Chairman and CEO of Tenable, characterized the report as a wake-up call for the organization: “The CSRB issued a masterful piece of work. This is not some watered down, wishy washy document full of government speak and platitudes. After a thorough investigation, this body of august experts issued a powerful document that should serve as a wake up call to cloud providers that cybersecurity must be a top priority. While some cyber failures are unavoidable, we shouldn’t assume that to always be the case. The report states that “the intrusion was preventable” and the Federal government has put its foot down over Microsoft’s repeated cybersecurity failures. It [CSRB] identified a series of Microsoft operational and strategic decisions that collectively pointed to a corporate culture that deprioritized enterprise security investments and rigorous risk management, at odds with the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations. There is no mincing of words. I couldn’t be prouder of how CISA and CSRB are maturing.”

Security breach potentially impacted national security

Microsoft’s security breach is receiving special attention as the company’s products are so broadly interwoven into the federal government’s networks and all manner of systems critical to national function and defense. The report cites a 2002 email from former CEO Bill Gates, who at the time implored his company to choose security over every other priority every time, in noting how far Microsoft appears to have drifted from its original culture and mission.

The mid-2023 lapse caused a total breach of at least 22 organizations and 500 individuals, with the Chinese hackers wielding the power to open up any Exchange Online email account for about six weeks. During that time they took about 60,000 emails from just the State Department, though the US government has claimed that the breached accounts did not contain anything requiring secret clearances or that would cause a public safety concern.

The CSRB concluded that the Chinese hackers had demonstrated that Microsoft’s security culture is “inadequate” and in need of an immediate overhaul, something the company appears to be receptive to. The company responded to the report by mobilizing its engineering team to identify and mitigate legacy infrastructure, improve processes, and enforce security benchmarks. Specific recommendations made by the report include a full stop to adding any new features to cloud computing environments until necessary security improvements have been made, and publishing a public timeline that outlines how and when the company will be making improvements to each of its products.

Jeff Williams, co-founder and CTO at Contrast Security, thinks that the CSRB might have been too harsh in singling out Microsoft for common corporate failures: “Protecting secrets, like the cryptographic key Microsoft failed to property protect, is a critical part of cybersecurity.  However, it’s also an incredibly widespread problem that affects almost every large company. The CSRB specifically calls out Microsoft for “a corporate culture that deprioritized enterprise security investments and rigorous risk management,” without recognizing that they are literally creating a culture of shame and blame in the entire software market. We’ve found over the last 20 years that shame and blame are not an effective way to improve security.  In fact, it often backfires, creating a culture of hiding security details that leads to more vulnerabilities instead of a culture of transparency that leverages market forces to improve security.  By publicly targeting companies that are successfully breached — who are, by the way, victims of attacks — the CSRB is making it more difficult to be transparent about their security practices.”

“This incident reminds me of when the US Congress excoriated Equifax for a library-related breach in 2017.  They targeted a single company who was breached when virtually every other company in the industry had (and still has) the exact same problem. To have a chance of improving the cybersecurity situation overall, we need more carrot and less stick, less preaching and more actual help,” added Williams.