The storm over the Chinese cyber attack on US officials, thanks to the Microsoft cybersecurity breach that compromised the MS cloud security and resulted in encryption key theft, refuses to die down.
US Senator Ron Wyden has launched a scathing attack on Microsoft, urging the U.S. government to hold the tech giant responsible for what he claims are “negligent cybersecurity practices” that facilitated a successful Chinese espionage campaign against the United States government.
In a major hack that occurred in July 2023, a private encryption key belonging to Microsoft was stolen by Chinese hackers, granting them unauthorized access to sensitive data.
According to a letter from Senator Wyden to Cybersecurity and Infrastructure Security Agency (CISA) director Jen Easterly, the stolen MSA encryption key enabled the hackers to forge fake authentication tokens.
This allowed them to effectively impersonate users and gain access to Microsoft-hosted consumer accounts, even those protected with multi-factor authentication and strong passwords.
As a result, government emails were stolen, leading Wyden to assert that the Microsoft cybersecurity breach must be probed and the company must be held accountable for its role in the Chinese cyber attack on US officials.
“I’m demanding the federal government investigate how Microsoft’s neglect of cybersecurity enabled this Chinese spying campaign,” he tweeted.
Microsoft cybersecurity breach and Chinese cyber attack on US officials
In the sharply worded letter about the Microsoft cybersecurity breach, Senator Wyden alleged that the Chinese hacking is just the latest instance of cybersecurity negligence from Microsoft, citing the SolarWinds incident, which hogged the cybersecurity news headlines in 2020..
In the SolarWinds hacking campaign, Russian hackers used stolen encryption keys and forged Microsoft credentials to target organizations with Microsoft’s identity management software on their servers.
Microsoft’s lack of adequate warning to administrators when encryption keys were removed and failure to alert customers about the risk came under scrutiny, alleged Senator Wyden.
Instead of taking responsibility for the Microsoft cybersecurity breach, the company shifted blame to federal agencies and customers, using the incident to promote its Azure AD product, he wrote.
According to the Senator, this approach led to significant growth in Microsoft’s cloud security business, generating over $20 billion annually within three years of the hacking campaign.
In a detailed disclosure on July 11, Microsoft attributed the source of the attack to a Microsoft account (MSA) consumer signing key that was unlawfully obtained.
This key was then exploited by the Chinese hackers to forge authentication tokens, allowing them access to targeted government email accounts. The hackers leveraged Outlook’s web feature (OWA) and Outlook.com to carry out the intrusion.
Microsoft assured that it promptly intervened by blocking the forged tokens and replacing the compromised MSA key, effectively thwarting any further attacker activity.
“Our telemetry indicates that we have successfully blocked Storm-0558 from accessing customer email using forged authentication tokens,” said a Microsoft Security Response Center blog post on July 11.
“No customer action is required.”
However, by that time the impact of the Microsoft cybersecurity breach extended to at least 25 organizations, including some federal agencies, reported the Wall Street Journal. Among the confirmed victims were the Commerce and State Departments.
The nature of the attacks appears to be highly targeted, with a particular focus on individuals involved in recent visits to China, such as Secretary of State Antony Blinken and Assistant Secretary of State for East Asia Daniel Kritenbrink.
In a press briefing at Jakarta early this month, Blinken stated that the incident is currently under investigation.
“As a general matter, we have consistently made clear to China as well as to other countries that any action that targets the U.S. Government or U.S. companies, American citizens, is of deep concern to us, and we will take appropriate action in response,” he said.
As expected, China has denied any involvement in cyber espionage and has accused the United States of engaging in similar activities.
Cloud security, encryption key theft, and Senator Wyden’s cybersecurity probe demand
The company’s initial response on the Microsoft cybersecurity breach was that the hack’s impact was limited to Outlook.com and Exchange Online.
However, subsequent research conducted by cloud security firm Wiz revealed that the compromised key allowed the Chinese hackers access to a broader range of Microsoft products.
These included Azure Active Directory applications, SharePoint, Teams, OneDrive, customer applications supporting “login with Microsoft” functionality, and multi-tenant applications under specific conditions.
Wiz’s research highlighted the lack of standardized practices for application-specific logging, making it challenging for application owners to detect if forged tokens were used against their applications.
Microsoft’s revocation of the affected key may not entirely mitigate the risk, as sophisticated threat actors could have utilized the access and time to implant backdoors or other forms of persistence into victim systems and accounts.
The implications of the breach are far-reaching, leading to questions about the trust in cloud services and the fundamental identity layer that underpins cloud operations.
The potential scope of the breach raised concerns over the security of millions of Microsoft and customer applications.
The hack caused significant embarrassment for Microsoft when customers complained that they lacked visibility to investigate the breach, as they were not subscribed to the high-tier E5/G5 license.
Public pressure eventually compelled the company to expand logging defaults for lower-tier M365 customers.
Senator Wyden has called for a “whole of government effort” to investigate the recent hack and explore whether Microsoft had stored the stolen encryption key in an HSM (Hardware Security Module), a best practice recommended by the National Security Agency.