Microsoft committed a “cascade” of “avoidable errors” that allowed Chinese hackers to breach the tech giant’s network and later the email accounts of senior US officials last year, including the secretary of commerce, a scathing US government-backed review of the incident has found.
The hack “was preventable and should never have occurred,” says a report released Tuesday by the US Cyber Safety Review Board (CSRB), a group of government and private cybersecurity experts led by the Department of Homeland Security. It was set up by President Joe Biden in 2021 to study the root causes of major hacking incidents.
In particular, the review board faulted Microsoft (MSFT) for not adequately protecting a sensitive cryptographic key that allowed the hackers to remotely sign into their targets’ Outlook accounts by forging credentials.
“Microsoft’s security culture was inadequate and requires an overhaul” in light of the company’s “centrality in the technology ecosystem,” the report concludes.
The hack roiled Washington and gave Chinese operatives access to the unclassified email accounts of senior US diplomats, including US Ambassador to China Nicholas Burns, on the eve of a high-profile visit by Secretary of State Antony Blinken to China last June, CNN has reported.
The hackers downloaded about 60,000 emails from the State Department alone, department spokesman Matthew Miller has said.
The hackers also breached the email account of Secretary of Commerce Gina Raimondo ahead of her trip to China last August, Raimondo has confirmed.
China has denied the hacking allegations.
Microsoft said in November it would bolster its security practices for developing software and protecting its users, following the alleged Chinese hacking incident and scrutiny of its security practices from US lawmakers.
“We appreciate the work of the [Cyber Safety Review Board] to investigate the impact of well-resourced nation state threat actors who operate continuously and without meaningful deterrence,” a Microsoft spokesperson said in a statement to CNN on Tuesday.
Microsoft has “mobilized our engineering teams to identify and mitigate legacy infrastructure, improve processes, and enforce security benchmarks,” the statement continued. “Our security engineers continue to harden all our systems against attack and implement even more robust sensors and logs to help us detect and repel the cyber-armies of our adversaries.”
Microsoft will review the board’s recommendations, the spokesperson said.
The alleged hack last summer was one of a series of cyber-espionage campaigns tied to China and Russia that have exploited widely use software made by companies like Microsoft to target US national security interests. Russian hackers allegedly infiltrated software made by US firm SolarWinds to steal emails from US government agencies in 2020.
“The US government has reached a decision point with its IT service providers: more of the same or better cybersecurity,” said Cory Simpson, CEO of the Institute for Critical Infrastructure Technology, a think tank.
“I hope this CSRB report is used as a call to action by the US government for meaningful change in its longstanding relationship with Microsoft,” Simpson told CNN.