Microsoft could have stopped Chinese hackers from accessing email accounts linked to U.S. government officials, a Biden-appointed review board said in a scathing report released Tuesday.
The report, conducted by the Cyber Safety Review Board (CSRB), found “operational and strategic decisions” led to hackers in China breaching the officials’ emails in July.
The report outlined the company’s failure in the breach and made recommendations for the tech giant moving forward. It said it found that the “intrusion was preventable and should never have occurred.”
The report, describing Microsoft’s “avoidable errors,” said the company failed to detect that an employee’s laptop was compromised.
Ultimately, the board found that “Microsoft’s security culture was inadequate and requires an overhaul” given the company’s large role globally and the amount of trust consumers put in the company.
“To drive the rapid cultural change that is needed within Microsoft, the Board believes that Microsoft’s customers would benefit from its CEO and Board of Directors directly focusing on the company’s security culture and developing and sharing publicly a plan with specific timelines to make fundamental, security-focused reforms across the company and its full suite of products,” the review board wrote.
Microsoft said in a statement that it appreciated the investigation and the recent attack demonstrates the need to “adopt a new culture of engineering security.”
“While no organization is immune to cyberattack from well-resourced adversaries, we have mobilized our engineering teams to identify and mitigate legacy infrastructure, improve processes, and enforce security benchmarks,” a Microsoft spokesperson said in a statement.
The company said it would “continue to harden all our systems against attack and implement even more robust sensors and logs to help us detect and repel the cyber-armies of our adversaries.”
In July, a Chinese-based cyber actor gained access to email accounts of 25 organizations in the public cloud, including federal agencies. The hackers, known as Storm-0558, are “focused on espionage” and gathering U.S. intelligence, Microsoft said last year.
The company later said the hackers obtained a consumer signing key to breach emails after a crash produced a snapshot of the crash process that contained the consumer singing key. It was then used to forge authentication tokens to access emails.
In total, the hackers broke into the emails of 22 organizations and more than 500 people around the world, including the U.S. ambassador to China, Nicholas Burns and Commerce Secretary Gina Raimondo, the AP reported.
In a statement following the board’s report, Homeland Security Secretary Alejandro Mayorkas said the review was necessary to protect the “serious cyber threat these nation-state actors pose.”
“Individuals and organizations across the country rely on cloud services every day, and the security of this technology has never been more important,” Mayorkas said in his statement. “Nation-state actors continue to grow more sophisticated in their ability to compromise cloud service systems.”