Microsoft slammed over security flaws that led to Chinese attack on Exchange systems

News
By Benedict Collins
published

Corporate culture to blame for Microsoft Exchange Online breach

An abstract image of digital security.
(Image credit: Shutterstock) (Image credit: Shutterstock)

In the summer of 2023, Microsoft Exchange Online was hit in a series of intrusions by a People's Republic of China (PRC) backed actor tracked as Storm-0558, who gained access to the mailboxes of 22 organizations.

The mailboxes were used by over 500 people, and compromised a number of US government representatives including Commerce Secretary Gina Raimondo, US Ambassador to the PRC R. Nicholas Burns, and Congressman Don Bacon.

Microsoft Exchange Online uses signing keys to securely authenticate access to remote systems, and Storm-0558 managed to obtain a legitimate signing key which, when used in conjunction with another Exchange Online vulnerability, could have allowed them to access any account in the world.

Cloud security “has never been more important”

The attack has since been found to have been preventable, according to a report by the Department of Homeland Security (DHS) and the Cyber Safety Review Board (CSRB), stating that there were decision made pointing to “a corporate culture that deprioritized enterprise security investments and rigorous risk management, at odds with the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations.”

The review found that Microsoft’s negligence in signing key rotation resulted in a 2016 key remaining active in 2023. Furthermore, a number of critical security controls that were standard practice for other CSPs at the time of the attack were not in place, which could have detected and prevented an intrusion of this scale.

Microsoft were also found to have issued conflicting communications at the time of the incident, stating that the 2016 key was likely stolen during a “crash dump,” then later stating that there was no evidence to suggest the key was stolen in this scenario.

CSRB Acting Deputy Chair Dmitri Alperovitch said, “This People’s Republic of China affiliated group of hackers has the capability and intent to compromise identity systems to access sensitive data, including emails of individuals of interest to the Chinese government. Cloud service providers must urgently implement these recommendations to protect their customers against this and other persistent and pernicious threats from nation-state actors.”

More from TechRadar Pro

Benedict Collins
Benedict Collins
Staff Writer (Security)

Benedict Collins is a Staff Writer at TechRadar Pro covering privacy and security. Benedict is mainly focused on security issues such as phishing, malware, and cyber criminal activity, but also likes to draw on his knowledge of geopolitics and international relations to understand the motivations and consequences of state-sponsored cyber attacks. Benedict has a MA in Security, Intelligence and Diplomacy, alongside a BA in Politics with Journalism, both from the University of Buckingham.