In the summer of 2023, Microsoft's Exchange Online Software was hit by a data breach that exposed the online email inboxes of 22 organizations and 500 people including US government employees. Now, Microsoft is being slammed by the US Cyber Safety Review Board after finding that the breach could have been prevented if not for the tech giant's "cascade of security failures" and "inadequate" security culture.
President Biden ordered the report, which describes the actions Microsoft took before, during, and following the extensive hack and identifies key failures in each instance, the intrusion was deemed "preventable."
(Photo : JOSEP LAGO/AFP via Getty Images) People visit the US technology company Microsoft's stand during the Mobile World Congress (MWC), the telecom industry's biggest annual gathering, in Barcelona on February 26, 2024.
Ars Technica reports that Microsoft claims not to know the exact method by which Storm-0558, a hacker organization believed to be connected to the People's Republic of China, gained access.
Bleeping Computer contradicts this, stating that as per Microsoft's belief, the Exchange Online intrusion that occurred in May of last year was caused by the threat actor that took an Azure signing key from a laptop belonging to an engineer. The laptop had previously been infiltrated by hackers at a company that Microsoft had bought.
Read Also: Windows 10 Support Beyond 2025: Microsoft Unveils Pricing on Extended Update Plans
Microsoft's Security Overhaul
The Board also concluded that Microsoft needed to change its security culture because it was insufficient and didn't meet consumer expectations, especially considering how important the company is to the technology ecosystem and how much customers rely on it to protect their data and business operations.
A Microsoft representative noted in the report that the company "fully cooperated with the Board's review." The corporation also expressed its appreciation for the CSRB's investigation into the effects of nation-state threat actors with substantial resources that operate constantly and without effective deterrents.
According to a Microsoft representative, recent occurrences have shown that their networks need to embrace a new engineering culture for security, as outlined in their Secure Future Initiative. In addition to hardening its systems and adding more sensors and logs to identify and fend off attackers' cyber-armies. Microsoft promises to examine the completed report and make any necessary revisions.
Based on information received from affected businesses, cybersecurity professionals and enterprises, law enforcement agencies, and conversations with Microsoft representatives, the CSRB carried out its analysis of the Microsoft Exchange Online attack in 2023.
According to the article, Microsoft was made aware of the attack following a warning from the U.S. Department of State on June 16, 2023. The State Department's security operations center (SOC) noticed unusual access the day before, which was one of the first indications of the hack on the agency's mail systems.
Microsoft's Problematic Security
The CSRB report proves to only be one of Microsoft's latest blunders in cyber security. The tech giant recently acknowledged that it has not yet eliminated state-sponsored hackers or contained a Russian data breach.
The nation-state attack was identified by the Microsoft Security Team on January 12, 2024, and it was made public on January 19. When Microsoft's security team learned of the compromise of corporate email infrastructure and senior officials' email accounts, the company moved quickly to initiate its response protocol.
Microsoft Threat Intelligence identified the threat actor as Russian state-sponsored actor Midnight Blizzard, also referred to as NOBELIUM.
Read Also: Microsoft Executives' Emails Compromised in Russian State-Sponsored Midnight Blizzard Cyberattack
(Photo : Tech Times)
