CSRB accuses Microsoft of neglecting its security systems
The Storm-0558 group stole 60,000 emails from the US State Department
3 min. read
Published on
Share this article
Read our disclosure page to find out how can you help Windows Report sustain the editorial team Read more
The US government’s Cybersecurity and Infrastructure Security Agency’s (CISA’s) Cyber Safety Review Board (CSRB) reviewed the June 2023 attack on Microsoft’s Exchange Online hosted email service. The board decided that the attack conducted by the China-related Storm-0558 was preventable. Thus, the CSRB blames Microsoft for having a weak information-spreading security culture. In addition, they claim that the company uses inadequate cloud security measures.
During the June 2023 attack on Microsoft, hackers compromised the accounts of several senior US officials. As a result, according to The Register, the CSRB wants the tech giant to review their security systems and the cause of the breach.
CSRB recommendations to Microsoft
The first recommendation from the CSRB is that the CEO and the board of directors directly focus on the security vulnerabilities of their system. On top of that, they should develop and share publicly a plan for security-focused reforms. Also, they mention that the CEO of Microsoft should hold the senior management accountable for its delivery.
Another suggestion from the CSRB to Microsoft is to move security to the top of their priorities. Additionally, they want the company to put new features on hold until they fix the vulnerabilities. Moreover, the Cyber Safety Review Board wants Microsoft to analyze security risks before deploying new features.
What happened during the June 2023 attack on Microsoft services?
According to the CRSB, the attacks from June 2023 targeted the Microsoft Services Account (MSA). The MSA manages accounts in the cloud services for users. However, the feature lacked a proper key rotation system that should change digital keys regularly to prevent unauthorized access to cloud accounts.
Microsoft used to manage this feature manually, but they stopped in 2021. Also, between 2021 and 2023, when the attack happened, the company didn’t take any additional measures regarding the outdated digital keys. As a result, the keys became a security gap that allowed hackers to break in. That’s one of the reasons why CSRB believes that Microsoft could’ve prevented the attack.
The China-related Storm-0558 group used this opportunity to access the system with an outdated key from 2016. With it, they managed to steal data from consumer accounts and tokens to access enterprise accounts. By doing this, they stole 60,000 emails and a list of employee email addresses from the US State Department. On top of that, some of the emails contained diplomatic discussions.
Microsoft’s response
Microsoft didn’t handle the situation with transparency. Thus, they didn’t share how threat actors stole the key. In addition, they blamed the whole incident on a crash dump file stored by mistake in an unsecured environment. However, in 2024, the company admitted that they couldn’t find any evidence to their claims.
Ultimately, CSRB holds Microsoft accountable for not prioritizing security systems. Also, its competitors are handling security vulnerabilities better and with more responsibility. On top of that, the board considers Microsoft’s security infrastructure outdated. CSRB blames the company’s focus on flashy features like AI. Additionally, the board says the company forgot its core values from its founding CEO, Bill Gates.
What are your thoughts? Is Microsoft bringing way too many features without proper security measures? Let us know in the comments.
