The U.S. Cyber Safety Review Board (CSRB) has issued a stern rebuke to Microsoft for significant security failures that enabled a cyberattack by a Chinese state-sponsored group known as Storm-0558. This breach, which occurred last year, compromised nearly two dozen organizations in both Europe and the U.S. The findings, shared by the Department of Homeland Security (DHS) in a recent report, indicate that the attack could have been avoided and stemmed from a series of “avoidable errors” on Microsoft’s part.
The report highlights a corporate culture at Microsoft that has historically deprioritized investments in enterprise security and robust risk management. As stated by DHS officials, this culture is particularly concerning given Microsoft’s pivotal role in the technology landscape and the high level of trust its customers place in the company to protect sensitive data and operations.
A critical point raised by the CSRB was Microsoft’s failure to detect the breach internally. Instead, the company relied on a concerned customer to report the issue. The CSRB criticized Microsoft for not prioritizing the development of automated key rotation solutions and failing to modernize its legacy infrastructure, which is essential to address the evolving threat landscape.
The incident first came to public knowledge in July 2023, when Microsoft disclosed that Storm-0558 had gained unauthorized access to 22 organizations and over 500 individual consumer accounts. Microsoft later revealed that a validation error in its code allowed for the illegitimate creation of Azure Active Directory tokens. Storm-0558 leveraged a consumer signing key to forge these tokens, which facilitated their access to email accounts across the targeted organizations.
By September 2023, further investigation unveiled that Storm-0558 had obtained the consumer signing key by compromising an engineer’s corporate account. This account, which had access to a debugging environment, inadvertently contained a crash dump of the consumer signing system, along with the signing key. Microsoft has since indicated that it has not been able to locate this crash dump and that its investigation remains ongoing, asserting that operational failures led to key materials being compromised in an unsecured environment.
In a statement reflecting on the situation, a Microsoft spokesperson emphasized the necessity for a cultural shift towards prioritizing security in engineering practices. The ongoing ramifications of this breach are severe, with reports indicating that around 60,000 unclassified emails were exfiltrated as part of the attack campaign that began in May 2023. The Chinese government has denied any involvement in the incident.
Amid these developments, Microsoft has taken steps to enhance security measures for U.S. federal agencies, expanding free logging capabilities across all license tiers to help organizations better detect and respond to sophisticated cyber threats. Dmitri Alperovitch, Acting Deputy Chair of the CSRB, acknowledged the long-standing presence of the threat actor behind the breach, linking it to previous high-profile cyber incidents, thus emphasizing the group’s sustained capability and intent to pursue sensitive data of interest to the Chinese government.
To mitigate risks associated with state-sponsored cyberattacks, the CSRB has recommended that cloud service providers implement modern security controls, adopt standard audit logging practices, and enhance transparency through effective incident and vulnerability disclosure strategies. Furthermore, it proposed updates to federal cybersecurity frameworks to better address high-impact incidents and their aftermath.
In this context, the incident involving Microsoft exemplifies several tactics from the MITRE ATT&CK Matrix, including initial access through credential dumping and privilege escalation via compromised accounts. These insights not only illustrate the nature of the threat but also encourage business leaders to bolster their cybersecurity strategies in an increasingly complex digital environment.
