US report blames Microsoft’s ‘inadequate’ cybersecurity for Chinese hack
- A government cyber review board said the company did not prioritise risk management that allowed hackers to steal emails from senior US officials
- Microsoft said it would review the findings for additional recommendations, adding it has mobilised engineers to enforce security benchmarks
A Chinese-state intrusion last year of Microsoft Corp. technology that enabled hackers to gather US officials’ emails “should never have occurred,” according to a report released on Tuesday from a government cyber review board.
The Cyber Safety Review Board, a White House-mandated group designed to examine major cyberattacks, said Microsoft displayed corporate practices that “deprioritised both enterprise security investments and rigorous risk management.” The company security culture was “inadequate” and “requires an overhaul,” the report said.
The review board examined the 2023 hack of Microsoft Exchange Online inboxes, in which outsiders breached 22 organisations and hundreds of individuals. US Commerce Secretary Gina Raimondo; the US ambassador to China, Nicholas Burns; and Representative Don Bacon, a Nebraska Republican, were among those ensnared in the campaign.
A hacking group associated with the Chinese government known as Storm-0558 was behind the effort, the report said. Microsoft still has yet to determine how attackers infiltrated the company, according to the report.
Reviewers also determined that the company was slow to update misleading or inaccurate disclosures about the incident. In one case, Microsoft suggested in September 2023 that hackers had used a tool known as a digital certificate to steal emails. It wasn’t until November that the firm acknowledged to the board that its September disclosure was “inaccurate,” according to the report.