Microsoft slammed over security flaws that led to Chinese attack on Exchange systems

An abstract image of digital security.
(Image credit: Shutterstock) (Image credit: Shutterstock)

In the summer of 2023, Microsoft Exchange Online was hit in a series of intrusions by a People's Republic of China (PRC) backed actor tracked as Storm-0558, who gained access to the mailboxes of 22 organizations.

The mailboxes were used by over 500 people, and compromised a number of US government representatives including Commerce Secretary Gina Raimondo, US Ambassador to the PRC R. Nicholas Burns, and Congressman Don Bacon.

Microsoft Exchange Online uses signing keys to securely authenticate access to remote systems, and Storm-0558 managed to obtain a legitimate signing key which, when used in conjunction with another Exchange Online vulnerability, could have allowed them to access any account in the world.

Cloud security “has never been more important”

The attack has since been found to have been preventable, according to a report by the Department of Homeland Security (DHS) and the Cyber Safety Review Board (CSRB), stating that there were decision made pointing to “a corporate culture that deprioritized enterprise security investments and rigorous risk management, at odds with the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations.”

The review found that Microsoft’s negligence in signing key rotation resulted in a 2016 key remaining active in 2023. Furthermore, a number of critical security controls that were standard practice for other CSPs at the time of the attack were not in place, which could have detected and prevented an intrusion of this scale.

Microsoft were also found to have issued conflicting communications at the time of the incident, stating that the 2016 key was likely stolen during a “crash dump,” then later stating that there was no evidence to suggest the key was stolen in this scenario.

CSRB Acting Deputy Chair Dmitri Alperovitch said, “This People’s Republic of China affiliated group of hackers has the capability and intent to compromise identity systems to access sensitive data, including emails of individuals of interest to the Chinese government. Cloud service providers must urgently implement these recommendations to protect their customers against this and other persistent and pernicious threats from nation-state actors.”

More from TechRadar Pro

Benedict Collins
Staff Writer (Security)

Benedict Collins is a Staff Writer at TechRadar Pro covering privacy and security. Before settling into journalism he worked as a Livestream Production Manager, covering games in the National Ice Hockey League for 5 years and contributing heavily to the advancement of livestreaming within the league. Benedict is mainly focused on security issues such as phishing, malware, and cyber criminal activity, but he also likes to draw on his knowledge of geopolitics and international relations to understand the motives and consequences of state-sponsored cyber attacks.

He has a MA in Security, Intelligence and Diplomacy, alongside a BA in Politics with Journalism, both from the University of Buckingham. His masters dissertation, titled 'Arms sales as a foreign policy tool,' argues that the export of weapon systems has been an integral part of the diplomatic toolkit used by the US, Russia and China since 1945. Benedict has also written about NATO's role in the era of hybrid warfare, the influence of interest groups on US foreign policy, and how reputational insecurity can contribute to the misuse of intelligence.

Outside of work Ben follows many sports; most notably ice hockey and rugby. When not running or climbing, Ben can most often be found deep in the shrubbery of a pub garden.