Microsoft blamed for Chinese cyber hack
Firm did not prioritise security which allowed hackers to steal emails of officials: US report
A Chinese-state intrusion last year of Microsoft technology that enabled hackers to gather American officials’ emails “should never have occurred”, according to a report from a United States government cyber review board.
The Cyber Safety Review Board, a White House-mandated group designed to examine cyberattacks, said Microsoft displayed practices that “deprioritised both enterprise security investments and rigorous risk management”. The company security culture was “inadequate” and “requires an overhaul”, the report said.
The board examined last year’s hack of Microsoft Exchange Online inboxes, in which outsiders breached 22 organisations and hundreds of individuals. US Commerce Secretary Gina Raimondo, US ambassador to China Nicholas Burns and Nebraska Republican Representative Don Bacon were among those ensnared in the campaign.
A hacking group associated with the Chinese government known as Storm-0558 was behind the effort, the report said. Microsoft has yet to determine how attackers infiltrated the company, according to the report.
Reviewers also determined that the firm was slow to update misleading or inaccurate disclosures about the incident. In one case, Microsoft suggested in September that hackers had used a tool known as a digital certificate to steal emails. It was not until November that the firm acknowledged to the board that its September disclosure was “inaccurate”, according to the report.
Microsoft said it would review the report for recommendations. “While no organisation is immune to cyberattack from well-resourced adversaries, we have mobilised our engineering teams to identify and mitigate legacy infrastructure, improve processes and enforce security benchmarks,” a Microsoft official said.
While Microsoft is primarily known for its software for corporations and consumers, the Redmond, Washington-based company has emerged as the biggest provider of cybersecurity products in recent years – an area of the business that has grown to about US$20 billion annually.
US Senator Ron Wyden, who called for the investigation, said that federal agencies shared some of the blame for the breach “for showering Microsoft with billions of dollars in government contracts, without demanding the company meet minimum cybersecurity standards.”