Microsoft Cybersecurity Errors Led To Breach Of Companies’ Data

Findings by the U.S. Cyber Safety Review Board have been critical of Microsoft cybersecurity errors that allowed a Chinese nation-state group called Storm-0558 to breach more than twenty companies in Europe and the U.S.

Hacker News reports that the findings called the breaches preventable, and said they only succeeded because of a “cascade of Microsoft’s avoidable errors.”

It also took the company to task for failing to detect the compromise on its own – a customer notified it of a breach – and for not prioritizing the development of an automated key rotation solution and modification of its legacy infrastructure to address current threats.

Microsoft Outlook, a personal information management system used by many senior executives of corporations, lost as many as 60,000 unclassified emails during the Storm-0558 attack that began in May 2023.

In September 2023, Microsoft said that Storm-0558 got the consumer signing key that facilitated the attack by compromising an engineer’s corporate account. The engineer had access to a crash dump that inadvertently contained the signing key.

However, in a March 2024 update, Microsoft acknowledged that the theory was inaccurate, and it had not been able to locate a “crash dump containing the impacted key material.”

“Our leading hypothesis remains that operational errors resulted in key material leaving the secure token signing environment that was subsequently accessed in a debugging environment via a compromised engineering account.”

The Cyber Safety Board recommends that cloud service providers take steps to safeguard against threats from state-sponsored actors, including adopting a minimum standard for default audit logging in cloud services, adopting incident and vulnerability disclosure practices to maximize transparency, and incorporating emerging digital identity standards.