A scathing US report by a White House-mandated group, the Cyber Safety Review Board (CSRB), has found that Microsoft had cyber practices in place that left it susceptible to an intrusion.
The board conducted an independent review of the Summer 2023 Microsoft Exchange Online intrusion by Storm-0558, a hacking group assessed to be affiliated with the People’s Republic of China.
As part of its investigation, the CSRB said that it “obtained data from and conducted interviews with 20 organizations and experts including cybersecurity companies, technology companies, law enforcement organizations, security researchers, academics, as well as several impacted organizations.”
It added that the intrusion was “preventable” and identified “a series of Microsoft operational and strategic decisions that collectively pointed to a corporate culture that deprioritised enterprise security investments and rigorous risk management.”
It further recommended that Microsoft develop and publicly share a plan with specific timelines “to make fundamental, security-focused reforms across the company and its suite of products.”
CSRB Acting Deputy Chair Dmitri Alperovitch said, “The threat actor responsible for this brazen intrusion has been tracked by [the] industry for over two decades and has been linked to 2009 Operation Aurora and 2011 RSA SecureID compromises.
“This People’s Republic of China affiliated group of hackers has the capability and intent to compromise identity systems to access sensitive data, including emails of individuals of interest to the Chinese government. Cloud service providers must urgently implement these recommendations to protect their customers against this and other persistent and pernicious threats from nation-state actors.”
