[German]The US Cyber Safety Review Board has now published its report on the hack of Microsoft Online Exchange in the summer of 2023 by the suspected Chinese group Storm-0558. The board's conclusion: Microsoft can't do security! And certainly not in its own cloud. A "cascade" of errors, committed by Microsoft or its employees, is responsible for the hack of the Microsoft Cloud and Microsoft Online Exchange accounts.
Advertising
Desaster Storm-0558 Hack
In May 2023, Exchange Online and Outlook accounts were hacked by the suspected Chinese hacker group Storm-0558. The attackers were able to access any account in Exchange Online or Outlook. The hack was discovered by a customer (US State Department) after they noticed unusual access to accounts.
I had reported about the incident in the blog post China hacker (Storm-0558) accessed Outlook accounts in Microsoft's cloud. The hack was announced by Microsoft on July 11, 2023 in the post Microsoft mitigates China-based threat actor Storm-0558 targeting of customer email. The hack was made possible by an incredible chain of errors via a stolen AAD key (see my post Stolen AAD key allowed (Storm-0558) wide-ranging access to Microsoft cloud services).
Report of the US Cyber Safety Review Board
In the USA, this hack led to an investigation by the US Cyber Safety Review Board. The US Cyber Safety Review Board has now presented its final report on the case, which comes as a major slap in the face for Microsoft. Kevin Beaumont points out the facts of the case in the following post. CISA has published a few lines here. You can download the report as a PDF (34 pages long) here.
The summary is that the intrusion by Storm-0558, a hacking group believed to be linked to the People's Republic of China, could have been avoided. The Board identified a number of operational and strategic decisions by Microsoft that point to a corporate culture that neglects investment in corporate security and rigorous risk management.
Advertising
This is at odds with the company's central position in the technology ecosystem and the trust that customers place in the company to protect their data and operations. The hack and intrusion into the Microsoft Exchange online mailboxes of 22 organizations and more than 500 individuals worldwide was "preventable" and "should never have happened", the report concludes. And it is particularly worrying that Microsoft still does not know how the attackers carried out the attack.
Microsoft's inaccurate public statements on this incident and the fact that the information was not corrected in good time, but only after repeated requests from the committee, are also criticized. Microsoft had cited a crash dump with a private key as the cause of the hackers' access (see my article Microsoft's Storm-0558 cloud hack: MSA key comes from Windows crash dump of a PC). Now the Microsoft Security Response Center admits in an update to the report that "no crash dump containing the affected key material has been found".
In addition, there is the hack by the alleged Russian hacker group Midnight Blizzard that became public in January 2024 (see Microsoft hacked by Russian Midnight Blizzard; emails exfiltrated since Nov. 2023) and Microsoft's admission that the hackers were probably still on the network even after the discovery and were even able to access source code (see Microsoft confirms: Russian spies (Midnight Blizzard) stole source code while accessing systems).
The Board of Inquiry recommends that Microsoft develop and make public a plan with specific timelines for fundamental, security-oriented reforms across the company and its product portfolio. Microsoft has cooperated fully with the Board's review, it says. US media outlets such as the Washington Post and AP have jumped on the issue and are picking Microsoft apart. In the USA, the first authorities and major customers have already started to turn away from Microsoft.
Similar articles:
China hacker (Storm-0558) accessed Outlook accounts in Microsoft's cloud
Follow-up to the Storm-0558 cloud hack: Microsoft is still in the dark
After CISA report on Storm-0558 hack, Microsoft provides customers with enhanced cloud logging
Stolen AAD key allowed (Storm-0558) wide-ranging access to Microsoft cloud services
Microsoft's Storm-0558 cloud hack: US senator among the victims
Microsoft's Storm-0558 cloud hack: MSA key comes from Windows crash dump of a PC
Microsoft extends Purview logging (after Storm-0558 hack)
Microsoft as a Security Risk? U.S. senator calls for Microsoft to be held accountable over Azure cloud hack– Part 1
Microsoft as a Security Risk? Azure vulnerability unpatched since March 2023, heavy criticism from Tenable – Part 2
Microsoft hacked by Russian Midnight Blizzard; emails exfiltrated since Nov. 2023
Hewlett Packard Enterprise (HPE) hacked by Midnight Blizzard since May 2023
Microsoft confirms: Russian spies (Midnight Blizzard) stole source code while accessing systems
Advertising
