Cybersecurity

Microsoft email intrusion ‘should never have happened,’ Cyber Safety Review Board says

The board says the intrusion was preventable and that threat actors struck “the espionage equivalent of gold” when they compromised Microsoft’s cloud environment last year.
article cover

Chesnot/Getty Images

· 4 min read

In a report published March 20, the Cyber Safety Review Board said that a summer 2023 intrusion, in which Chinese threat actors compromised Microsoft’s cloud environment and inboxes belonging to 22 organizations and over 500 people globally, could have been prevented and “should never have happened.”

In the CSRB’s review, the board said it had identified “operational and strategic decisions” indicative of “a corporate culture that deprioritized both enterprise security investments and rigorous risk management.”

Gold rush. In May and June 2023, Storm-0558—threat actors linked to China and known to have “espionage objectives,” according to Microsoft—compromised multiple Microsoft Exchange Online mailboxes, with the CSRB noting that the threat actors struck “the espionage equivalent of gold” in its compromise.

The State Department was the first to uncover and notify Microsoft of the intrusion last year on June 16, with the report noting that the agency’s security operations center “detected anomalies in access to its mail systems” the day before.

Threat actors, who, per the CSRB report, had “access to some of these cloud-based mailboxes for at least six weeks,” targeted US government officials, such as Commerce Secretary Gina Raimondo, Congressman Don Bacon, and US Ambassador to China Nicholas Burns. The compromise occurred around the time of Secretary of State Antony Blinken’s trip to China, with Blinken being the first US secretary of state to have visited China in five years, the WSJ reported.

The US Embassy in Beijing did not immediately respond to IT Brew’s request for comment.

Matthew Miller, spokesperson for the Department of State, confirmed in a press briefing last year that the threat actors downloaded around 60,000 unclassified emails from the State Department alone, with Miller noting that “classified systems were not hacked.”

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

Stealth mode. Storm-0558 gained access to the mailboxes by using forged authentication tokens signed by a Microsoft key. “This was the moment that Microsoft realized it had major, overlapping problems: First, someone was using a Microsoft signing key to issue their own tokens; second, the 2016 MSA key in question was no longer supposed to be signing new tokens; and third, someone was using these consumer key-signed tokens to gain access to enterprise email accounts,” the report read, noting that at the time of publication, “Microsoft does not know how or when Storm-0558 obtained the signing key.”

“Nine months after the discovery of the intrusion, Microsoft says that its investigation into these hypotheses remains ongoing,” the report also stated.

“This is absolutely preventable,” Lisa Plaggemier, the executive director at the National Cyber Security Alliance, told IT Brew in an interview. “Microsoft is ubiquitous, and that’s their strength. That’s also their weakness—that we all use them.”

Noting the report’s emphasis on “culture change” and “executive commitment,” she said that “it’s really about a cultural shift for the organization.”

When it comes to China-linked threat actors implementing these types of schemes for espionage and other purposes, “nothing is off the table,” according to Plaggemier.

“You have to assume [China-affiliated hackers] are going after everything,” Plaggemier said. “The creativity that they showed using end-of-life routers that belonged to regular citizens and small businesses to get into the power grid—that’s pretty ingenious…And I just think if anybody thinks they’re not a target, then they’re misinformed.”

Microsoft, through WE Communications, declined to comment at this time.

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.