What Happened in the Microsoft Cybersecurity Scandal

Microsoft has been in the headlines since they have been under investigation by the Secretary of Homeland Security’s new committee, the Cyber Safety Review Board. 

Here we present our own investigation into what happened, the rundown of the board’s recommendations, and our take on what Microsoft did wrong and what businesses should be doing to ensure that they aren’t vulnerable to attack.

Microsoft’s Online Intrusion: The Facts

Microsoft’s issues began back in 2021 when they updated their MSA keys. These are authentication keys. They’re used to ensure that the user who is trying to access the server is trustworthy. Microsoft had paused manual key rotation but left one key from 2016 active. This error happened due to a crash, that included these keys which weren’t detected at the time sue to a bug.

Towards the end of 2021, a Chinese-based group of hackers, known as Storm-0558, got access to a Microsoft engineer’s account through a compromised device. This device was a laptop that belonged to an employee from a newly acquired company that wasn’t vetted before being connected to Microsoft’s corporate network. That mistake allowed the hackers to get access to the out of date keys and therefore get into Microsoft’s systems.

In 2023, Storm-0558 successfully got access to multiple people’s email accounts. It isn’t clear how Microsoft didn’t notice that the group had access to their servers for almost two years. 

What we do know is that in June 2023, Storm-0558 hacked into the Commerce Department email accounts. The Security Department got a notification of the hack due to their security alerts. They then alerted Microsoft and the FBI to the issue.

From that moment Microsoft began to investigate what happened, they revoked the 2016 key and secured their systems against Storm-0558. They also notified customers who were affected and began to work with the FBI to ensure that the issue was correctly investigated, and the victims notified. 

Microsoft posted a blog with their statement on what had occurred with Storm-0558 in September 2023, however, they didn’t mention the 2016 key (despite knowing). Only in March 2024 did they include an addendum about the key. 

In total, Storm-0558 gained access to the mailboxes of 22 organizations and over 500 individuals around the world, including the Commerce Secretary and the US Ambassador to China.

In May 2024, Congress began a full hearing into the incident. Microsoft President, Brad Smith attended. While he criticized the Board for interviewing competitors, he was also apologetic for Microsoft’s mistakes.

“I wish we had moved faster and had gone farther, I think there was a focus on the real costs associated with keeping and retaining logs. But we should have recognized sooner, especially as the threat landscape changed, that we would be best served I think as we are now by not just retaining but providing these logs for free.” - Brad Smith, in the hearing in June 2024.

This incident has been incredibly embarrassing for Microsoft. They failed to realize that their access keys were compromised, they didn’t follow the correct procedures with their employee’s laptop, and a customer (the US government) alerted them to the hacking. Then they had a full hearing and gave them 20 recommendations to follow.

The US Government’s Recommendations

The Cyber Safety Board split their recommendations into different sections, so we’ll use the same layout. You can find the full report here.

It starts with Microsoft’s culture around security, which the board found to be lax. Their first 4 recommendations aim to fix it:

1. The CEO and Board should create a plan to make security-focused reforms across Microsoft and all its products which should then be published. Then leaders at all levels should be held responsible for the changes.
2. All feature developments should be deprioritized until security improvements have been made.
3. Microsoft should take accountability for security as one of the main actors in cyberspace. The company should prioritize it, creating incentives and a culture where security is a key design requirement.
4. Microsoft used to offer granular logging (when logs include timestamps, IP addresses, user activities, and error codes) as a paid feature. The board recommended Microsoft offer it as a core part of their offering to empower their customers to detect and prevent intrusion.

The board’s next section was “Cloud service providers' cybersecurity practices”. Here the board examined industry best practices, including benchmarking against Microsoft competitors. 

Their 5th set of recommendations was based on “Microsoft’s inability to determine how and when the adversary was able to steal its signing key.”

1. All cloud providers should revise their logging systems to ensure that all accesses and keys are stored. They also recommended that the logs be analyzed continuously to check for any threats. Finally, the logs should be stored for at least 10 years.
2. All digital identity and credential systems should be designed so that the system shouldn’t be fully compromised if there is an attack. They suggest a few ways to achieve this, including stateful tokens, automatic frequent key rotation, and linkable tokens (among others.)
3. The Cybersecurity and Infrastructure Security Agency will review all cloud service providers' security practices annually . They will also publish this review.
4. The National Institute of Standards and Technology (NIST) and the Risk Management Framework (RMF) Joint Task Force (JTF) should update the Special Publication (SP) 800-53’s control catalog to better account for risks to cloud-based digital identity systems.
5. When acquiring smaller companies, larger enterprises must recognize that these companies have weaker security policies. Adversaries may use that weakness as an entry point to the larger company’s corporate network.

The 3rd part of the Board’s recommendations is “Audit Logging Norms” to make sure that logs are correctly kept.

1. All cloud service providers should adopt a minimum standard for audit logging. Including ensuring that client logs are available at no extra cost with six-month retention.

The next section is about digital identity standards and guidance. The board noted that cloud companies hadn’t taken emerging standards around digital identification seriously enough.

1. Cloud service providers should implement emerging standards to secure against potential attacks. These standards include Open Authorization (OAuth), Demonstrating Proof-of-Possession (DPoP), and OpenID Shared Signals and Events (SSE).
2. These standard bodies should update their standards to include advanced nation-state attackers targeting core CSP identity systems.
3. Both cloud providers and the standard bodies should develop or update profiles for core digital identity standards. 

In the next section, the recommendations focus on the need for companies to be transparent about security incidents and vulnerabilities. This transparency is necessary with clients, customers, regulators, and if it’s a national risk, the US government.

1. All US-based cloud companies should inform the US government about an attack from an actor affiliated with a nation-state.
2. These companies need to be honest with US government agencies and customers about what they do not know.
3. They also need to correct public statements as soon as they realize they’re incorrect.
4. Cloud service providers must disclose all vulnerabilities to the Common Vulnerabilities and Exposures (CVE) program. They should also work with the CVE to update the Common Weakness Enumeration (CWE) to include cloud-specific issues and commit to timely disclosures of vulnerabilities.

In the transparency section, while the Board uses “Cloud Service Providers”, they clearly criticize what they perceive as Microsoft’s lack of transparency.

The last section aimed at Microsoft and other cloud providers is called “Victim Notification Processes”. The Cyber Safety Review Board noted that while Microsoft did notify victims, many missed or ignored the notifications. 

1. The board recommended that cloud companies, the government, and major mobile device platforms should build an alert similar to “amber alerts” to notify victims of large hacking attacks. By doing this, victims won’t confuse the notification emails with phishing or spam emails.
2. All cloud providers should develop a process to identify and categorize high-impact incidents that include accounts that present a higher security risk (eg government officials.) The company should provide the victim with guidelines and next steps. 
3. Cloud companies together with the government should develop methods to incentivize a connection between victims and appropriate government resources, international partners, and other victims. This practice will simplify investigations and the sharing of best practices.

Those were the recommendations for Microsoft (and by extension other cloud providers). The Cyber Safety Board also made 5 recommendations to the government:

1. Federal Risk and Authorization Management Program (FedRAMP), in coordination with OMB and CISA, should establish a minimum threshold for periodically re-evaluating legacy FedRAMP authorization packages.
2. FedRAMP should work with OMB to establish a Technical Advisory Group (TAG).
3. FedRAMP should create a process to review authorized Cloud Service Offerings (CSOs) periodically with security experts. The conclusions of the review would determine if the CSOs would continue providing their services.
4. FedRAMP should strengthen the minimum audit logging standards to gain business data logs. And also making them available to customers.
5. The National Institute of Standards and Technology (NIST) should continue updating their controls from its security and privacy control baselines to focus on contemporary threats. They should also consult with the FedRAMP program to incorporate feedback about observed threats and incidents in the cloud space.

What Microsoft Did Wrong

It's hugely concerning that Storm-0558 had access to Microsoft’s systems between 2021 and 2023. The 2nd largest cloud services provider should have noticed that weakness faster. For a customer to notice the problem, especially when that customer is the United States government is embarrassing. Then, as the Cyber Safety Board itself stated, Microsoft should have been more transparent about what had happened and what the issue was. Since the government was looking at it as a matter of national security, for Microsoft not to disclose that the 2016 key that hadn’t been deactivated was part of the problem is again not a good look.

Another mistake was for Microsoft to monetize its security protections. For instance, if we compare AWS and Microsoft Azure’s Identity and Access Management (IAM), AWS provides all their features as standard in all of their packages. Their security features include:

• Permissions guardrails
• IAM access analyzer
• Attribute-based control
• Identity federation
• PCI DSS compliance
• AWS services integrations

However, when we look at Microsoft Enta ID (Microsoft’s IAM), we see a very different story. Their free option doesn’t include limited access to SharePoint, global password protection and management, or any advanced security or usage reports. Not one of their plans provides all the security options that they offer. Their most comprehensive plan doesn’t include entitlement management, an identity governance dashboard, or lifecycle workflows.

From there, StratusGrid’s CEO, Chris Hurst says that we need to compare the companies’ track records. And where AWS has had security issues they have proactively fixed them so they don’t happen again. Whereas Microsoft has had more reoccurring issues in recent years.

Chris Hurst continues:

“Security is increasingly becoming a requirement. In the past, security features have been considered monetizable as some companies are more interested in it than others. Some people don’t care about security because they don’t know that they need to care. However, cybersecurity is having more and more real world implications. We’ve seen the damage it’s done to meat production companies, it shows the need to understand and invest in cybersecurity features.”

In April, Bloomberg reported that Microsoft’s security revenue had doubled in two years to $20 billion annually. In the same article, Bloomberg commented that companies are a captive audience due to Microsoft’s cost-bundling strategy. The sad fact is that despite increasing revenue, Microsoft has shown itself to be incapable of protecting its clients from data breaches.

Keep Your Business Safe From Online Attacks

All business sizes can be vulnerable to cyber attacks, as Microsoft has shown. To keep your business as protected as possible we have 5 key tips:

1. Use the cloud: You are already upping your security by using Google Drive or Microsoft OneDrive. They tend to have more robust security protocols than most businesses, including advanced program protection.
2. Access management: You need to have clear policies on which employees can access what information and systems. By ensuring that your HR intern doesn’t have access to budgets, you keep information secure. You also shouldn’t share login information to make sure that people don’t access classified documents by accident.
3. Password management: You should have password management policies and enforcement so that employees choose safe passwords, not easy ones. Many email tools allow administrators to enforce regular password changes to keep systems safer.
4. Use multi-factor authentication: Most platforms now have multi-factor authentication (MFA), so when a login occurs from a new location or after a certain amount of time it requests backup verification. Employees can receive an email, text message, call, or use an authenticator app to increase security.
5. Educate staff: Make sure that your employees receive training around internet security. This training should include safe downloads, being careful with emails that request personal information or money, and sharing suspicious emails or notifications with IT.

Ensure Cloud Security

At StratusGrid we work as an AWS Premier Partner to help companies improve their infrastructure security by migrating to the cloud or modernizing their existing cloud environments. We follow AWS governance to increase the security guardrails that you have in place. Guardrails reduce the chance of data leaks, ensure your cloud environment is better managed, and help control your cloud costs.

We implement AWS governance by working with AWS cloud engineers to identify which policies and compliance rules to implement, rolling them out across your environment, and working with you to analyze if we should increase the compliance rules.  

Book a call with us to analyze your security and cloud needs.