The DHS Cyber Safety Review Board (CSRB) has released a report on Microsoft's hack by the Chinese threat actor Storm-0558 in May 2023, in which the hackers breached an unidentified number of email accounts linked to around 25 organizations, including some related individual consumer accounts and government agencies in Western Europe and the US.
The threat actor leveraged forged authentication tokens to access impacted email accounts via Outlook Web Access in Exchange Online (OWA) and Outlook.com.
CSRB’s report found Microsoft at fault for the intrusion, which officials said was “preventable” and that “Storm-0558 was able to succeed because of a cascade of security failures at Microsoft.”
In its report, the board highlighted a series of decisions made by Microsoft that have had detrimental effects on enterprise security, risk management, and customer trust in safeguarding their data and operations.
The board has concluded that Microsoft's security culture is insufficient and necessitates a comprehensive overhaul, particularly given the company's pivotal role in the technology ecosystem and the significant trust customers place in it to protect their data and operations.
The board's conclusion is based on several key factors:
The succession of avoidable errors made by Microsoft that allowed the he intrusion to succeed.
Microsoft's failure to independently detect the compromise of its critical cryptographic assets, instead relying on a customer to report anomalies they had observed.
A comparative evaluation of security practices at other cloud service providers revealed disparities where Microsoft lacked certain security controls.
Microsoft's inability to detect a compromise of an employee's laptop from a recently acquired company before allowing it to connect to the corporate network in 2021.
Delays in rectifying inaccurate public statements made by Microsoft regarding the incident, despite acknowledging the inaccuracies in November 2023. The correction was not issued until March 12, 2024, after repeated inquiries from the board regarding Microsoft's plans for addressing the issue.
Additionally, the board noted a separate incident disclosed by Microsoft in January 2024, which fell outside the scope of the board's review. This incident revealed a compromise that granted access to highly sensitive Microsoft corporate resources, including email accounts, source code repositories, and internal systems, to a different nation-state actor.