In July 2023, Chinese government hackers were spotted in Microsoft’s cloud environment. They seemed to have accessed email inboxes of at least 22 organisations including the US State Department. The high-profile Cyber Safety Review Board within CISA has now slammed Microsoft and pinned the blame for the 2023 Exchange Online Intrusion on the company’s lax security practices.
The Board released a report this week pinning the blame on Microsoft for the Chinese espionage campaign that was “preventable and should have never occurred”.
In this article, we are going to break down very simply what happened, what Microsoft is taking a rap for and what lessons are contained here for the rest of us.
Topics covered in the blog:
1. What is Microsoft being slammed for?
2. What were the series of security lapses by Microsoft?
3. What can we learn from the review of the Cyber Safety Review Board?
Summer 2023 Exchange Online Intrusion: The Incident
First, let’s catch up quickly on what the Incident in question is. A hacking group associated with the Chinese government, known as Storm-0558, compromised Microsoft’s cloud environment last year. The hackers managed to gain access to the mailboxes of some of the most senior U.S government officials responsible for managing America’s relationship with the People’s Republic of China.
Essentially, the threat actors successfully compromised Microsoft Exchange Online inboxes of around 22 organisations and 500+ individuals across the globe. Storm-0558 managed this feat by using authentication tokens signed by a Microsoft key issued in 2016.
When paired with another vulnerability in Microsoft's authentication system, the key allowed Storm-0558 to achieve complete access to virtually all Exchange Online accounts globally.
While Microsoft published corporate statements on the cybersecurity incident and its ensuing investigations, one lapse has caught particular attention of the Board. In one of its blogs in September 2023, Microsoft claimed that the most probable way that the threat actor accessed the 2016 Microsoft Service Account (MSA) key was in a crash dump from the 2021 Microsoft compromise.
Later, Microsoft admitted to the Board that it still hasn't ascertained accurately how the key was accessed and didn’t update its blog for over 6 months. The delay in transparent communications has been slammed repeatedly in the report.
Additionally, the report highlights that the unresolved issue of whether the threat actor accessed other keys and sensitive information beyond the 2016 MSA key further compounds the Board's worries about the incident's full implications and the lingering uncertainty.
Cascade of Security Failures at Microsoft: What the Report Highlights
The Cyber Safety Review Board released what many are calling a “scathing" review of Microsoft’s security practices. It went so far as to say that the company’s security culture needs a complete overhaul.
One can’t help but agree with the report when it highlights that a company in Microsoft’s position - central to the current technology ecosystem and trusted by organisations of all scales and sizes globally - should perhaps have had a more robust security protocol in place.
The report also places the onus of prioritising the highest standards of cybersecurity on the CEO and Board of Directors at Microsoft.
The report highlights the following as the ‘cascade of security failures’:
- Microsoft's inability to identify the theft of its crucial cryptographic assets on its own. It took a customer to report observed anomalies instead.
- The Board reviewed security protocols at several other high-profile cloud service providers and found many security measures which they implemented but were absent at Microsoft.
- Microsoft's delay in correcting a misleading public statement about the incident. In a blog post dated September 6, 2023, the company asserted that it had pinpointed the likely source of the breach, which actually remains unverified until now. Despite acknowledging the inaccuracies in the blog post to the Board in November 2023, Microsoft did not update the post until March 12, 2024, prompted only by the Board's persistent inquiries regarding a correction.
- The Board noted another incident, disclosed by Microsoft in January 2024, involving a different nation-state actor gaining access to sensitive Microsoft emails, source code, and internal systems. This incident was not within the scope of the Board's review but highlighted additional security concerns.
The Board reiterated in its report that the critical nature of Microsoft's products, which are integral to national security and economic stability, demands that the company upholds the highest standards of security and transparency.
Back to Top
Top 3 Lessons Learned from the Microsoft Exchange Online Breach 2023
The moral of the story here (for the rest of us) isn’t necessarily about what Microsoft didn’t do or should do in the future. But this report highlights some key takeaways that businesses across the globe must take cognizance of.
Some of the simplest but most resounding lessons from this breach and the ensuing Board review can be summed up as follows:
- Stop deprioritizing cybersecurity: If you haven’t already woken up to the alarming rise in cyber crime and the massive damage it can cause to your business, it’s time to stop hitting the snooze button.
If an organisation with deep pockets such as Microsoft couldn’t come out unscathed after a cyber intrusion, chances are you probably won’t either. It’s time to get serious about your security posture. Just like the Board has done in the aftermath of this incident, it is worthwhile to assess the security measures of your peers. Invest time and resources in understanding what your crown jewels are, what your top risks are and how you can manage them better.
Need help? Reach out to our expert cybersecurity consultants. They will help you assess and evaluate your current cybersecurity posture. But more importantly, they work with several other organisations globally, many of which could be from your industry. This rich and diverse experience can enable you to implement the best and most updated cybersecurity practices and protocols in place. They also help you bring a nuanced outsider’s perspective to your overall cybersecurity culture.
- Board & Senior Management Engagement: In several places, the report by the Cyber Safety Review Board stresses the need for greater cybersecurity engagement for Microsoft’s CEO and Senior Management. In its recommendations, it clearly states that the top leadership must deprioritize release of new features and first achieve security stability in existing offerings.
At Cyber Management Alliance, we offer several business leadership-focussed cybersecurity awareness sessions that can help you achieve this goal. These sessions are brief and designed to engage with the Executive in a language they understand.
In addition, we also run a special Executive-focussed Cyber Crisis Tabletop Exercise workshop. This allows the Board and Senior Management to rehearse decision-making for cyber crises and enhance the organisational cybersecurity leadership.
- Transparent Communication: It is quite clear to anyone who has read the US Safety Board’s report that it has taken the inaccurate communication in Microsoft’s blog in September 2023 as a grave error of judgement. The fact that the blog wasn’t updated with Microsoft’s new findings (that it had found no evidence of a crash dump containing the 2016 MSA key material) for over 6 months has been seriously emphasised by the report, underlining the importance of timely and transparent communications in the aftermath of a cybersecurity incident.
This underlines the need for a robust and effective Cyber Incident Response Plan which places considerable emphasis on Communication. The way a victim organisation reports an incident to authorities and regulatory bodies is critical. What is equally important is how it communicates with its impacted customers and stakeholders who have placed their trust in the organisation to keep their sensitive information secure.
The lesson learned? Make sure you regularly review and refresh your Cybersecurity Incident Response Plan. Take stock of recent cyber attacks, study how victims respond and implement those best practices in your plans and policies. Find news about an organisation that didn’t respond effectively or received a bad rap for the way it responded? Make sure you pay attention to such lapses too and learn from others’ experiences and mistakes.
Back to Top