CSRB says Microsoft security culture ‘inadequate’ after US government systems breached

Cyber Safety Review Board’s scathing report on intrusion of Microsoft systems by threat actor linked with China.

Between May and June 2023 the threat actor was able to compromise the online mailboxes of a number of victims in the US, UK and elsewhere almost certainly for the purposes of espionage. The attack targeted multiple US government agencies, foreign governments, individual senior government officials as well as private sector organizations and private individuals.

The US Department of State detected the intrusion on 15 June and notified Microsoft. Microsoft’s investigation concluded that Storm-0558 had access to a stolen 2016 MSA key, allowing access to both consumer and enterprise accounts. The stolen key was invalidated by Microsoft on 24 June.

The stolen key

Despite extensive forensic scrutiny Microsoft has not been able to determine how Storm-0558 acquired the key. But it has suggested that the incident may be connected to the compromising of its own corporate network in 2021.

In that incident, the device of an engineer employed by a company acquired by Microsoft had been compromised by a threat actor prior to the acquisition. Following the acquisition the engineer was granted access to Microsoft’s corporate environment on the compromised device and this was then used by Storm-0558 to penetrate the network.

Although the captured key dated back to 2016, Storm-0558 was able to use it to penetrate email accounts because consumer key rotation was paused by Microsoft in 2021 following a major cloud outage. This meant that, despite its age, the key remained valid.

Having found an initial point of entry, Storm-0558 was able to identify a flaw in the common validation endpoint that did not differentiate between consumer and enterprise signing keys, giving it access to enterprise accounts.

In a sign that at least parts of the US government are increasingly aware of the heightened threat of cyber-attack and are better equipped to detect and deal with such threats, as noted above, it was the US State Department that first detected the intrusion. It was able to do so because it had paid for enhanced logging and built custom alerts to identify anomalous access to mailboxes.

The CSRB report

The CSRB report emphasizes that the intrusion was possible because Microsoft corporate security culture was inadequate. Parts of the basis for this conclusion are worth reproducing here as they demonstrate why the report is so unusually strongly worded. The report mentioned:

  1. the cascade of Microsoft’s avoidable errors that allowed this intrusion to succeed;
  2. Microsoft’s failure to detect the compromise of its cryptographic crown jewels on its own, relying instead on a customer to reach out to identify anomalies the customer had observed;
  3. the Board’s assessment of security practices at other communications service providers (CSPs), which maintained security controls that Microsoft did not;
  4. Microsoft’s failure to detect a compromise of an employee’s laptop from a recently acquired company prior to allowing it to connect to Microsoft’s corporate network in 2021;
  5. Microsoft’s decision not to correct, in a timely manner, its inaccurate public statements about this incident, including a corporate statement that Microsoft believed it had determined the likely root cause of the intrusion when in fact, it still has not;
  6. the Board’s observation of a separate incident, disclosed by Microsoft in January 2024, the investigation of which was not in the purview of the Board’s review, which revealed a compromise that allowed a different nation-state actor to access highly-sensitive Microsoft corporate email accounts, source code repositories, and internal systems; and

According to the report the “intrusion vector could have been blocked or detected” if it was not for the litany of failings as outlined above.

In particular, the decision to stop the rotation of signing keys along with the failure to prioritize the development of an automated key rotation solution and the inadequate controls in the authentication system “are troubling examples of decision-making processes within the company that did not prioritize security risk management”.

And the report notes it was indicative of a insufficient focus on the updating of the legacy infrastructure that the business did not specifically adjust its security controls to better reflect the current threat landscape.

CSRB recommendations

The CSRB makes some important granular recommendations for Microsoft that are well worth reading. It also makes some broader recommendations for CSPs generally some of which will also be relevant to any organizations running complex IT infrastructure:

  • implement modern control mechanisms and baseline practices, informed by a rigorous threat model, to substantially reduce the risk of system-level compromise.
  • Adopt a minimum standard for default audit logging to enable the detection, prevention, and investigation of intrusions.
  • Implement emerging digital identity standards to secure services against prevailing threat vectors.
  • Adopt incident and vulnerability disclosure practices to maximize transparency – even in the absence of a regulatory obligation to report.
  • Develop more effective victim notification and support mechanisms to drive information-sharing efforts and amplify pertinent information for investigating, remediating, and recovering from cybersecurity incidents.

Finally, in a sobering message introducing the report, Robert Silvers and Dmitri Alperovitch, Chair and Deputy Chair of the CSRB, pointed out that while the “cloud creates enormous efficiencies and benefits” it is now “a high-value target” with an attacker who is able to compromise a cloud service provider being able to “quickly position itself to compromise the data or networks of that CSP’s customers”.

They point out that “CSPs have become one of our most important critical infrastructure industries”.

GRIP comment

The fear of a loss of confidence in our highly regulated markets in particular (energy, financial, health, etc) as a result of a cyber incident that spreads uncontrollably through these critical systems is never far away from the minds of the governments of developed economies.

The fact that avoidable errors and several failures to detect or correct intrusions and security control issues are mentioned several times in the CSRB report is quite troubling in light of Microsoft’s market share and resources.

The routine security practices a business with such an indelible global footprint takes are important – not only in terms of prevention, but in determining the root causes of intrusions when they occur and then making prompt reports to stakeholders to enable them to better protect themselves or even offer timely assistance.

And the report’s mention of the board’s responsibility for assessing security practices at other CSPs to keep pace with their solutions and security control posture should be taken seriously. The board of a business like Microsoft must have the expertise and the foresight to continually determine where it falls regarding legal expectations and industry best practices in terms of its corporate security posture.

Regulators and governments are all waking up to the fact that there is real vulnerability stemming from systems that are depended upon at institutions around the globe and in every business sector and thereby create systemic risk in almost anything that they touch.