Feds say Microsoft security ‘requires an overhaul’ — but will it listen?

In early April, the US Department of Homeland Security (DHS)  delivered a blistering report excoriating Microsoft’s lax security practices, which allowed Chinese spies to hack into the accounts of high-level government officials, including Commerce Secretary Gina Raimondo, Ambassador to China Nicholas Burns, and Rep. Don Bacon (R-NE). (All are in charge of the country’s relationship with China.)

Typically, government investigations like this are staid affairs, ending in pallid reports offering wishy-washy critiques and even weaker recommendations. But this 29-page DHS report pulled no punches. It laced into Microsoft, calling out its security failures and pointing to “the cascade of Microsoft’s avoidable errors that allowed this intrusion to succeed.” Microsoft’s security infrastructure is so weak, the DHS said, that the company failed “to detect the compromise of its cryptographic crown jewels on its own, relying instead on a customer to reach out to identify anomalies the customer had observed.”

It added that Microsoft had purposely issued misleading statements about the attack, with the company claiming last fall it had found the root cause of the intrusion, when even today it still doesn’t know how it happened.

The report concluded the company’s security is “inadequate and requires an overhaul.”

There’s a long history of foreign governments targeting Microsoft security holes to hack top government officials and private companies. (In January, for example, I wrote about a  breach in which Russians hacked into the corporate accounts of Microsoft’s top executive team and staff and stole email and documents.)

Nothing seems to have changed since then, and it’s not clear whether the company’s security practices will change. To get a better sense of what the company might (or might not) do, let’s look at the Chinese hack.

What Microsoft did wrong

The DHS Cyber Safety Review Board’s report lays out the Chinese hack and Microsoft’s response in exquisite detail, revealing what the Washington Post calls Microsoft’s “shoddy cybersecurity practices, lax corporate culture and a deliberate lack of transparency.”

The attack was engineered by the Storm-0558 hacking group — doing the bidding of China’s most powerful spy service, the Ministry of State Security. Storm-0558 has a history of carrying out espionage-related hacks of government agencies and private companies dating back to 2000. Until now, the best-known one was Operation Aurora, brought to light by Google in 2010. The Council on Foreign Relations called that attack “a milestone in the recent history of cyber operations because it raised the profile of cyber operations as a tool for industrial espionage.”

According to the DHS report, the most recent hack took place after Storm-0558 got its hands on a “Microsoft Services Account (MSA)17 cryptographic key that Microsoft had issued in 2016.” Using the key, Storm-0558 forged user credentials and used them to log into government accounts and steal emails of Raimondo, Burns, Bacon, and others. 

There are other unsolved mysteries. The key should only have been able to create credentials for the consumer version of Outlook Web Access (OWA), yet Storm-0558 used it to create credentials for Enterprise Exchange Online, which the government uses. Microsoft can’t explain how that can be done.

There’s worse. That 2016 key should have been retired in 2021, but Microsoft never did so because the company had problems with making its consumer keys more secure. So the key, and presumably many others like it, remained as powerful as ever. And Storm-0558 did its dirty work with it.

This series of events — a key that should have been retired was allowed to stay active, the theft of the key by Storm-0558 stole the key, and then Storm-0558’s ability to use it to forge credentials to get access to enterprise email accounts used by top government officials, even though the key shouldn’t have allowed them to do so — represents the “cascade of errors” the DHS said Microsoft committed.

Making it all worse was the claim by Microsoft that it knew how the hack had been done, which was untrue. 

Will Microsoft really change its security culture?

Microsoft has been criticized for years for these kinds of attacks, and yet they continue. Will this time around be different?

Microsoft’s public response sounds as if it’s going to be business as usual. The company didn’t even take direct responsibility for the hacks. It told the Washington Post, “recent events have demonstrated a need to adopt a new culture of engineering security in our own networks. While no organization is immune to cyberattack from well-resourced adversaries, we have mobilized our engineering teams to identify and mitigate legacy infrastructure, improve processes, and enforce security benchmarks.”

That’s about as mealy-mouthed a statement you can make. And it’s especially mealy-mouthed because this hack required no feats of legendary hacking — just the use of an old encryption key that should have been deleted years ago. If Microsoft had followed basic security practices and taken that one simple step, none of this would have happened.

More disturbing is that the Russian hack of Microsoft officials in January was caused by a similar oversight: Microsoft forgot to delete an old test account, and hackers used basic techniques to break into it. Once they did that, they used the account’s permissions to steal emails and documents from Microsoft’s senior management and people who worked on its cybersecurity and legal teams, among other functions.

The Biden administration released a new National Cybersecurity Strategy more than a year ago. A fact sheet that went along with it warns, “Poor software security greatly increases systemic risk across the digital ecosystem and leave American citizens bearing the ultimate cost. We must begin to shift liability onto those entities that fail to take reasonable precautions to secure their software.” 

In the Russian and Chinese hacks, by no stretch of the imagination can you say Microsoft has taken “reasonable precautions” when it comes to cybersecurity — very much the opposite. But Congress has yet to take action against the company, for example, by taking away some of the many billions of dollars a year the government pays the company for software, the cloud, and other services.

There’s no way to know whether this time Microsoft will clean up its cybersecurity oversight. But if it doesn’t, the company isn’t the only one to blame. The federal government will share the fault as well, because so far it hasn’t even bothered to slap the company on the wrist.
Email Security, Government IT, Industry, Microsoft, Security