2023 Azure breach: US rips Microsoft over 'cascade of security failures'

A report about the incident, which came to light in July last year, was released by the CSRB on 20 March.

Microsoft issued what it called a final blog post about the breach on 6 September 2023, but corrected the report quietly on 12 March this year without drawing notice to the fact it had admitted it had no clue about how the actor had gained control of a Microsoft Services Account authentication key that had been created in 2016.

The company had claimed Storm-0558 had been in its systems since May 2023 with the "probable" cause being the cracking of a staff engineer's corporate account.

{loadposition sam08}But in the update it said "the actor access may have resulted from a crash dump in 2021, but we have not found a crash dump containing the impacted key material".

The company confessed that as of 12 March, it still had no idea of how the threat actor had gained access to its systems and commandeered the MSA authentication key created in 2016.

This compromise gave the hostile actor access to Microsoft Exchange Online mailboxes of 22 organisations and more than 500 individuals, with the actor believed to have been from China.

The attackers gained access through a vulnerability discovered in June 2023 by the State Department, according to anonymous officials quoted in the Washington Post.

The intrusion "compromised senior US Government representatives working on national security matters, including the email accounts of Commerce Secretary Gina Raimondo, US Ambassador to the People’s Republic of China Nicholas Burns, and Congressman Don Bacon", the report said.

It added that this "was not the first intrusion perpetrated by Storm-0558, nor is it the first time Storm-0558 displayed interest in compromising cloud providers or stealing authentication keys.

"Industry links Storm-0558 to the 2009 Operation Aurora campaign that targeted over two dozen companies, including Google, and the 2011 RSA SecurID incident, in which the actor stole secret keys used to generate authentication codes for SecurID tokens, which were used by tens of millions of users at that time. Indeed, security researchers have tracked Storm-0558’s activities for over 20 years."

Operation Aurora comprised attacks by China that targeted US private sector companies, compromising the networks of Yahoo!, Adobe, Dow Chemical, Morgan Stanley, Google, and more than two dozen other companies to steal trade secrets.

Only Google confirmed it had been a victim and publicly blamed Beijing.

The CSRB concluded that Microsoft’s security culture was inadequate and required an overhaul, "particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations".

Its reasons were:

• the cascade of Microsoft’s avoidable errors that allowed the intrusion to succeed;
• the failure to detect the compromise of the company's cryptographic crown jewels on its own, relying instead on a customer to reach out to identify anomalies the customer had observed;
• the Board’s assessment of security practices at other cloud service providers, which maintained security controls that Microsoft did not;
• Microsoft’s failure to detect a compromise of an employee's laptop from a recently acquired company prior to allowing it to connect to Microsoft’s corporate network in 2021;
• Microsoft’s decision not to correct, in a timely manner, its inaccurate public statements about this incident, including a corporate statement that Microsoft believed it had determined the likely root cause of the intrusion when in fact, it still has not; even though Microsoft acknowledged to the Board in November 2023 that its 6 September 2023 blog post about the root cause was inaccurate, it did not update that post until March 12, 2024, as the Board was concluding its review and only after the Board’s repeated questioning about Microsoft’s plans to issue a correction;
• the Board's observation of a separate incident, disclosed by Microsoft in January 2024, the investigation of which was not in the purview of the Board’s review, which revealed a compromise that allowed a different nation-state actor to access highly-sensitive Microsoft corporate email accounts, source code repositories, and internal systems; and
• how Microsoft’s ubiquitous and critical products, which underpin essential services that support national security, the foundations of our economy, and public health and safety, require the company to demonstrate the highest standards of security, accountability, and transparency.

A lengthy series of recommendations has been included in the report.

In a statement, Ryan Triplette, executive director of the Coalition for Fair Software Licensing, said: “Microsoft is long overdue for a wake-up call. The CSRB report makes clear that a confluence of factors, including vendor lock-in of Microsoft's security products and subsequent over-reliance on its cloud and productivity tools, led to another totally preventable national security failure.

“Restrictive software licensing lies at the core of Microsoft’s ‘ubiquitous’ position in government sales despite its widespread and, frankly, basic security failings. This complex web of restrictions drives the adoption of Microsoft’s insecure products across the federal government and creates a single attack surface that leads to repeated cyber attacks.

"The CSRB examined this incident because of its significant impact on the US Government. However, the company’s long pattern of security blunders negatively impacts customers worldwide.

“The Coalition applauds the CSRB for its thorough review of the breach. We encourage US regulators, including the FTC, to investigate Microsoft’s predatory licensing practices and its impact on security to further the progress that has been made.”