3 April 2024

US cyber board blames Microsoft for May Storm-0558 hack


US cyber board blames Microsoft for May Storm-0558 hack

The DHS Cyber Safety Review Board (CSRB) has released a report on Microsoft's hack by the Chinese threat actor Storm-0558 in May 2023, in which the hackers breached an unidentified number of email accounts linked to around 25 organizations, including some related individual consumer accounts and government agencies in Western Europe and the US.

The threat actor leveraged forged authentication tokens to access impacted email accounts via Outlook Web Access in Exchange Online (OWA) and Outlook.com.

CSRB’s report found Microsoft at fault for the intrusion, which officials said was “preventable” and that “Storm-0558 was able to succeed because of a cascade of security failures at Microsoft.”

In its report, the board highlighted a series of decisions made by Microsoft that have had detrimental effects on enterprise security, risk management, and customer trust in safeguarding their data and operations.

The board has concluded that Microsoft's security culture is insufficient and necessitates a comprehensive overhaul, particularly given the company's pivotal role in the technology ecosystem and the significant trust customers place in it to protect their data and operations.

The board's conclusion is based on several key factors:

  • The succession of avoidable errors made by Microsoft that allowed the he intrusion to succeed.

  • Microsoft's failure to independently detect the compromise of its critical cryptographic assets, instead relying on a customer to report anomalies they had observed.

  • A comparative evaluation of security practices at other cloud service providers revealed disparities where Microsoft lacked certain security controls.

  • Microsoft's inability to detect a compromise of an employee's laptop from a recently acquired company before allowing it to connect to the corporate network in 2021.

  • Delays in rectifying inaccurate public statements made by Microsoft regarding the incident, despite acknowledging the inaccuracies in November 2023. The correction was not issued until March 12, 2024, after repeated inquiries from the board regarding Microsoft's plans for addressing the issue.

Additionally, the board noted a separate incident disclosed by Microsoft in January 2024, which fell outside the scope of the board's review. This incident revealed a compromise that granted access to highly sensitive Microsoft corporate resources, including email accounts, source code repositories, and internal systems, to a different nation-state actor.


Back to the list

Latest Posts

North Korean hackers caught collaborating with Play ransomware

North Korean hackers caught collaborating with Play ransomware

The theory is that Andariel is either working as an affiliate of Play ransomware or serving as an initial access broker.
31 October 2024
Large-scale phishing campaign targeting Ukraine's taxpayers

Large-scale phishing campaign targeting Ukraine's taxpayers

The attack deploys the Litemanager RMT, which provides unauthorized access to the infected computer.
30 October 2024
Ongoing malvertising campaign hijacks Facebook accounts to distribute SYS01Stealer malware

Ongoing malvertising campaign hijacks Facebook accounts to distribute SYS01Stealer malware

Threat actors use Meta’s platform to promote fake advertisements for popular software tools.
30 October 2024