Microsoft could have stopped 2023 Chinese email breach: US government

Microsoft could have stopped 2023 Chinese email breach: US government
03 Apr 2024

An investigation by the US Cyber Safety Review Board has revealed that a significant breach of government emails in 2023, could have been prevented by Microsoft.

The breach was executed through Microsoft Exchange Online software and was described as a "cascade of security failures" at the tech giant.

This lapse in security permitted Chinese state-sponsored hackers to infiltrate the email accounts of 22 organizations, affecting over 500 individuals, including those involved in national security.

DHS report labels breach as 'preventable'
Findings

The Department of Homeland Security (DHS) issued a critical report, labeling the breach as "preventable."

The report pointed out several actions within Microsoft that led to "a corporate culture that deprioritized enterprise security investments and rigorous risk management."

Hackers exploited a Microsoft account consumer key to generate tokens, for accessing Outlook on the web and Outlook.com.

While it is unclear how the key was stolen, it is suspected to have been part of a crash dump.

Microsoft admits to misinformation in initial report
Admission

Microsoft admitted to the Cyber Safety Review Board in November, that its September blog post about the incident contained inaccuracies.

However, it only corrected this misinformation on March 12, months later, after persistent questioning by the board.

CSRB concluded that Microsoft's security culture requires significant improvement.

It stated, "The Board finds that this intrusion was preventable and should never have occurred."

AI-powered chatbot launched amid security concerns
New launch

The disclosure of the breach coincides with Microsoft's launch of Copilot for Security. It is an AI-powered chatbot designed for cybersecurity professionals.

The company is charging businesses $4 per hour of usage to access this newest AI tool.

Meanwhile, Microsoft continues to grapple with ongoing attacks from Russian state-sponsored hackers, known as Nobelium, who infiltrated some Microsoft executive email accounts and stole some of the company's source code.

Microsoft initiates major overhaul of software security
Overhaul

In response to these security breaches, Microsoft is undertaking a significant overhaul of its software security with the new Secure Future Initiative (SFI).

The SFI aims to transform how Microsoft designs, builds, tests, and uses its software and services.

This initiative represents the most substantial change to Microsoft's security efforts since the rollout of its Security Development Lifecycle (SDL) in 2004.

It was introduced following the Blaster worm that hit Windows XP machines offline in 2003.

CSRB recommends immediate security improvements

The CSRB has recommended that Microsoft halt feature addition to its cloud computing environment until "substantial security improvements have been made."

The panel also requested Microsoft CEO Satya Nadella to initiate "rapid cultural change" and publicly share "a plan with specific timelines to make fundamental, security-focused reforms across the company and its full suite of products."

Microsoft pledges to strengthen systems against future attacks
Response

In response to the report, Microsoft expressed appreciation for the CSRB's investigation.

It also pledged to "continue to harden all our systems against attack and implement even more robust sensors and logs to help us detect and repel the cyber-armies of our adversaries."

The company accepted that the involved hackers are "well-resourced nation state threat actors who operate continuously and without meaningful deterrence."