DHS CSRB Blames Microsoft for STORM-0558 Intrusion

Microsoft committed a serious of “avoidable errors” that permitted a Chinese hacking campaign last summer to successfully target the top U.S. government officials’ email accounts, according to a government-ordered review.

The DHS CSRB stated that Chinese hackers’ 2023 penetration of Microsoft Exchange Online is due to a series of operational and strategic decisions that effectively deprioritized enterprise security investments and rigorous risk management

Microsoft failed to detect the compromise of a digital signing key created in 2016 and used to create authentication tokens. It also failed to detect the compromise of a Microsoft engineer’s laptop in 2021 that ultimately allowed the targeted hacking to occur.

Chinese hackers penetrated the email inboxes of senior officials, including Commerce Secretary Gina Raimondo, the U.S. ambassador to China and Rep. Don Bacon, a Nebraska Republican critical of Beijing. The hacking coincided with a mid-June visit to China by Secretary of State Antony Blinken that was delayed from earlier in 2023 after a Chinese surveillance balloon drifted across the continental United States.

The CSRB said Microsoft leadership should also consider directing teams across the company to deprioritize cloud infrastructure and product developments until substantial security improvements have been made.

The CSRB report describes signing keys that provide secure authentication for remote systems as “the cryptographic equivalent of crown jewels for any cloud service provider” and added: “As occurred in the course of this incident, an adversary in possession of a valid signing key can grant itself permission to access any information or systems within that key’s domain.”

Microsoft last year said Chinese hackers were apparently able to obtain the digital signing key for authentication tokens after finding the key in a dump of crash data stored in the company’s internet-connected network.

The report also recommends that providers develop more effective victim notification and support resources “to drive information sharing efforts and amplify pertinent information for investigating, remediating, and recovering from cybersecurity incidents.”

The report also encourages the Federal Risk and Authorization Management Program to develop a framework for conducting discretionary special reviews of its cloud service offerings following high-impact situations.