Microsoft: Government commission accuses negligence in Chinese hacker attack

Highlights: Government commission accuses Microsoft of negligence in Chinese hacker attack. Suspected Chinese hackers attacked Microsoft's email servers in 2023 and accessed messages from the US State Department. The company and its management therefore have to listen to serious allegations. The Cyber Safety Review Board set up by President Joe Biden has drawn a devastating conclusion for the IT company: Microsoft has made a “cascade of avoidable errors” that are the result of an inadequate security culture. The committee also used unusually harsh words to attack the company's leadership.

Suspected Chinese hackers attacked Microsoft's email servers in 2023 and accessed messages from the US State Department. The company and its management therefore have to listen to serious allegations.

Enlarge image

Microsoft offices: New offers should be reserved for security, the Commission suggests

Photo: Gonzalo Fuentes / REUTERS

The case caused international complications: In the summer of 2023, hackers who probably had connections to the Chinese state hacked numerous email accounts on Microsoft's servers and, among other things, skimmed 60,000 emails from the US State Department. Now the Cyber Safety Review Board set up by President Joe Biden has drawn a devastating conclusion for the IT company: Microsoft has made a “cascade of avoidable errors” that are the result of an inadequate security culture.

The attack was noticed because the US State Department discovered unauthorized access to its own emails in June 2023. Only then did Microsoft become aware of it and eventually discovered that 21 organizations and 503 accounts were also affected by the attack. The investigation revealed that the attackers from the group called Storm-0558 had gained access to a security code that made it possible to log into any email account.

No protection against “cyber armies”?

Microsoft publicly acknowledged the incident in July 2023, but at the same time emphasized that "no organization is immune" from attackers with sufficient resources and that it is using its best efforts to defend itself against the "cyber armies" of America's adversaries. The Cyber Safety Review Board, made up of top security experts from the government and private sector, comes to a different conclusion. In its final report, the committee states that the key used for the break-in should have been deactivated as early as 2021 and was not allowed to allow access to emails from customers such as the Foreign Ministry anyway. How the attackers were able to get this key is still unclear to this day.

The investigative commission does not see this as an isolated case, but as a systematic problem at Microsoft. In order to avoid future incidents of this kind, it is necessary to overhaul Microsoft's security culture. The committee also used unusually harsh words to attack the company's leadership. "Microsoft customers would benefit if the CEO and board of directors focused directly on the company's security culture," says the final report.

The members don't just give general advice. "In the meantime, Microsoft leadership should consider instructing internal Microsoft teams to postpone feature developments across the company's cloud infrastructure and product range until significant security improvements have been made." To anchor infrastructure, this is a harsh rebuke.

tmk/Reuters/AP

Microsoft: Government commission accuses negligence in Chinese hacker attack

No protection against “cyber armies”?

You may like

Trends 24h

Latest