Microsoft has been in the headlines since they have been under investigation by the Secretary of Homeland Security’s new committee, the Cyber Safety Review Board.
Here we present our own investigation into what happened, the rundown of the board’s recommendations, and our take on what Microsoft did wrong and what businesses should be doing to ensure that they aren’t vulnerable to attack.
Microsoft’s issues began back in 2021 when they updated their MSA keys. These are authentication keys. They’re used to ensure that the user who is trying to access the server is trustworthy. Microsoft had paused manual key rotation but left one key from 2016 active. This error happened due to a crash, that included these keys which weren’t detected at the time sue to a bug.
Towards the end of 2021, a Chinese-based group of hackers, known as Storm-0558, got access to a Microsoft engineer’s account through a compromised device. This device was a laptop that belonged to an employee from a newly acquired company that wasn’t vetted before being connected to Microsoft’s corporate network. That mistake allowed the hackers to get access to the out of date keys and therefore get into Microsoft’s systems.
In 2023, Storm-0558 successfully got access to multiple people’s email accounts. It isn’t clear how Microsoft didn’t notice that the group had access to their servers for almost two years.
What we do know is that in June 2023, Storm-0558 hacked into the Commerce Department email accounts. The Security Department got a notification of the hack due to their security alerts. They then alerted Microsoft and the FBI to the issue.
From that moment Microsoft began to investigate what happened, they revoked the 2016 key and secured their systems against Storm-0558. They also notified customers who were affected and began to work with the FBI to ensure that the issue was correctly investigated, and the victims notified.
Microsoft posted a blog with their statement on what had occurred with Storm-0558 in September 2023, however, they didn’t mention the 2016 key (despite knowing). Only in March 2024 did they include an addendum about the key.
In total, Storm-0558 gained access to the mailboxes of 22 organizations and over 500 individuals around the world, including the Commerce Secretary and the US Ambassador to China.
In May 2024, Congress began a full hearing into the incident. Microsoft President, Brad Smith attended. While he criticized the Board for interviewing competitors, he was also apologetic for Microsoft’s mistakes.
“I wish we had moved faster and had gone farther, I think there was a focus on the real costs associated with keeping and retaining logs. But we should have recognized sooner, especially as the threat landscape changed, that we would be best served I think as we are now by not just retaining but providing these logs for free.” - Brad Smith, in the hearing in June 2024.
This incident has been incredibly embarrassing for Microsoft. They failed to realize that their access keys were compromised, they didn’t follow the correct procedures with their employee’s laptop, and a customer (the US government) alerted them to the hacking. Then they had a full hearing and gave them 20 recommendations to follow.
The Cyber Safety Board split their recommendations into different sections, so we’ll use the same layout. You can find the full report here.
It starts with Microsoft’s culture around security, which the board found to be lax. Their first 4 recommendations aim to fix it:
The board’s next section was “Cloud service providers' cybersecurity practices”. Here the board examined industry best practices, including benchmarking against Microsoft competitors.
Their 5th set of recommendations was based on “Microsoft’s inability to determine how and when the adversary was able to steal its signing key.”
The 3rd part of the Board’s recommendations is “Audit Logging Norms” to make sure that logs are correctly kept.
The next section is about digital identity standards and guidance. The board noted that cloud companies hadn’t taken emerging standards around digital identification seriously enough.
In the next section, the recommendations focus on the need for companies to be transparent about security incidents and vulnerabilities. This transparency is necessary with clients, customers, regulators, and if it’s a national risk, the US government.
In the transparency section, while the Board uses “Cloud Service Providers”, they clearly criticize what they perceive as Microsoft’s lack of transparency.
The last section aimed at Microsoft and other cloud providers is called “Victim Notification Processes”. The Cyber Safety Review Board noted that while Microsoft did notify victims, many missed or ignored the notifications.
Those were the recommendations for Microsoft (and by extension other cloud providers). The Cyber Safety Board also made 5 recommendations to the government:
It's hugely concerning that Storm-0558 had access to Microsoft’s systems between 2021 and 2023. The 2nd largest cloud services provider should have noticed that weakness faster. For a customer to notice the problem, especially when that customer is the United States government is embarrassing. Then, as the Cyber Safety Board itself stated, Microsoft should have been more transparent about what had happened and what the issue was. Since the government was looking at it as a matter of national security, for Microsoft not to disclose that the 2016 key that hadn’t been deactivated was part of the problem is again not a good look.
Another mistake was for Microsoft to monetize its security protections. For instance, if we compare AWS and Microsoft Azure’s Identity and Access Management (IAM), AWS provides all their features as standard in all of their packages. Their security features include:
However, when we look at Microsoft Enta ID (Microsoft’s IAM), we see a very different story. Their free option doesn’t include limited access to SharePoint, global password protection and management, or any advanced security or usage reports. Not one of their plans provides all the security options that they offer. Their most comprehensive plan doesn’t include entitlement management, an identity governance dashboard, or lifecycle workflows.
From there, StratusGrid’s CEO, Chris Hurst says that we need to compare the companies’ track records. And where AWS has had security issues they have proactively fixed them so they don’t happen again. Whereas Microsoft has had more reoccurring issues in recent years.
Chris Hurst continues:
“Security is increasingly becoming a requirement. In the past, security features have been considered monetizable as some companies are more interested in it than others. Some people don’t care about security because they don’t know that they need to care. However, cybersecurity is having more and more real world implications. We’ve seen the damage it’s done to meat production companies, it shows the need to understand and invest in cybersecurity features.”
In April, Bloomberg reported that Microsoft’s security revenue had doubled in two years to $20 billion annually. In the same article, Bloomberg commented that companies are a captive audience due to Microsoft’s cost-bundling strategy. The sad fact is that despite increasing revenue, Microsoft has shown itself to be incapable of protecting its clients from data breaches.
All business sizes can be vulnerable to cyber attacks, as Microsoft has shown. To keep your business as protected as possible we have 5 key tips:
At StratusGrid we work as an AWS Premier Partner to help companies improve their infrastructure security by migrating to the cloud or modernizing their existing cloud environments. We follow AWS governance to increase the security guardrails that you have in place. Guardrails reduce the chance of data leaks, ensure your cloud environment is better managed, and help control your cloud costs.
We implement AWS governance by working with AWS cloud engineers to identify which policies and compliance rules to implement, rolling them out across your environment, and working with you to analyze if we should increase the compliance rules.
Book a call with us to analyze your security and cloud needs.