US Gov report slams Microsoft over email hack—'The Board finds that this intrusion was preventable and should never have occurred'
Last year, Microsoft disclosed that a Chinese hacking group referred to as «Storm-0558» was responsible for a security breach that led to the access of the email accounts of around 25 organisations, including some US government agencies. The federal Cyber Safety Review Board has just released its report on the incident, identifying a «cascade of Microsoft's avoidable errors that allowed this intrusion to succeed». Ouch.
The Cyber Safety Review Board is composed of multiple officials from several US government departments including the Department of Homeland Security, the NSA and the FBI (via Ars Technica) and several industry leaders, and was tasked with creating the report [pdf] under a mandate from President Biden in response to the attack.
In a somewhat scathing review, the board found that not only were Microsoft's security practices «lacking» in comparison to other cloud providers, but that public statements released surrounding the attack were «inaccurate» and not corrected in a timely manner.
Microsoft said at the time that a consumer signing key was acquired by Storm-0558 which was used to forge tokens for the cloud service that stores login keys, and that this was caused by a validation error in its codebase, later changing this explanation to a claim that an engineers account was hacked, and that «human errors» were to blame for allowing an expired signing key to be used to forge tokens.
However, the report revealed that Microsoft has still yet to determine the exact root cause of the breach, and noted that the company only updated its blog posts discussing the attack in March of this year, roughly at the same time the board was concluding its review and «only after the Boards repeated questioning about Microsoft's plan to issue a correction».
The attack itself was originally detected by State Department officials in June of last year, who then went on to notify Microsoft about the breach. The report cites that this was only possibly because the
Read more on pcgamer.com
