CSRB reports Microsoft Exchange breach by Storm-0558, urges security reforms following espionage incident

The U.S. Department of Homeland Security’s Cyber Safety Review Board (CSRB) published a report on the Summer 2023 Microsoft Exchange breach by Storm-0558, a group associated with China. The exploitation impacted the mailboxes of 22 organizations and over 500 individuals globally, including U.S. government officials like Commerce Secretary Gina Raimondo, U.S. Ambassador to China R. Nicholas Burns, and Congressman Don Bacon. The intrusion involved the use of authentication tokens signed with a key generated by Microsoft. 

The 34-page CSRB report condemns Microsoft for security lapses that facilitated espionage, calling for comprehensive reforms within Microsoft and the cloud service sector. It emphasizes the need for improved cybersecurity practices and regulatory updates to mitigate future cyber threats. 

The review concluded that the breach by Storm-0558 was avoidable, shedding light on Microsoft’s operational and strategic decisions that reflected a corporate culture prioritizing security investments and risk management. Despite its significant position in the tech industry and customer trust, Microsoft’s approach was deemed inadequate. The Board recommends Microsoft develop and share a plan outlining security-focused reforms with specific timelines across the company and its product range. Microsoft fully cooperated with the review.

Drawing parallels between the compromised Microsoft’s cloud environment last year, Robert Silvers, chair of CSRB, and Dmitri Alperovitch, deputy chair, wrote in the report that “it struck the espionage equivalent of gold. The threat actors accessed the official email accounts of many of the most senior U.S. government officials managing our country’s relationship with the People’s Republic of China.”

Furthermore, the report outlined that Storm-0558 was able to succeed because of a cascade of security failures at Microsoft. “Today, the Board issues recommendations to Microsoft to ensure this critical company, which sits at the center of the technology ecosystem, is prioritizing security for the benefit of its more than one billion customers. In the course of its review, the Board spoke with a range of large CSPs to assess the state of their security practices, and—as is also its mandate—the Board today issues recommendations to all CSPs for establishing specific security controls for identity and authentication in the cloud.” 

It added that all technology companies must prioritize security in the design and development of their products. “The entire industry must come together to dramatically improve the identity and access infrastructure that safeguards the information CSPs are entrusted to maintain. Global security relies upon it.”

“Individuals and organizations across the country rely on cloud services every day, and the security of this technology has never been more important,” Alejandro Mayorkas, DHS secretary, said in a media statement. “Nation-state actors continue to grow more sophisticated in their ability to compromise cloud service systems. Public-private partnerships like the CSRB are critical in our efforts to mitigate the serious cyber threat these nation-state actors pose. The Department of Homeland Security appreciates the Board’s comprehensive review and report of the Storm-0558 incident. Implementation of the Board’s recommendations will enhance our cybersecurity for years to come.”

As directed by President Joe Biden through Executive Order 14028, Secretary Mayorkas established the CSRB in February 2022.  The Board’s investigations are conducted independently, and its conclusions are independently reached. DHS and the CSRB are committed to transparency and will, whenever possible, release public versions of CSRB reports, consistent with applicable law and the need to protect sensitive information from disclosure.

Last August, the DHS announced that the CSRB would assess the recent Microsoft Exchange Online intrusion, initially reported in July, and conduct a broader review of issues relating to cloud-based identity and authentication infrastructure affecting applicable cloud service providers (CSP) and their customers. The CSRB obtained data from and conducted interviews with 20 organizations and experts including cybersecurity companies, technology companies, law enforcement organizations, security researchers, academics, as well as several impacted organizations.

The inclusive review process developed actionable findings and recommendations. As a result of the CSRB’s recommendations, CISA plans to convene major CSPs to develop cloud security practices aligned with the CSRB recommendations and a process for CSPs to regularly attest and demonstrate alignment.

“DHS is committed to efforts that meaningfully improve cybersecurity resilience and preparedness for our nation, and the work of the CSRB is reflective of our determination and dedication to this cause,” according to Jen Easterly, CISA director. “I am confident that the findings and recommendations from the Board’s report will catalyze action to reduce risk to the critical infrastructure Americans rely on every day.”

As of the date of this report, Microsoft does not know how or when Storm-0558 obtained the signing key. This was not the first intrusion perpetrated by Storm-0558, nor was it the first time Storm-0558 displayed interest in compromising cloud providers or stealing authentication keys. Industry links Storm-0558 to the 2009 Operation Aurora campaign that targeted over two dozen companies, including Google, and the 2011 RSA SecurID incident, in which the actor stole secret keys used to generate authentication codes for SecurID tokens, which were used by tens of millions of users at that time. Indeed, security researchers have tracked Storm-0558’s activities for over 20 years.

The Board found that this intrusion was preventable and should never have occurred, and concluded that Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations. 

The Board’s conclusion is rooted in a series of avoidable errors by Microsoft that facilitated the success of this intrusion. These errors include Microsoft’s inability to independently detect the compromise of its critical cryptographic assets, depending on a customer to flag anomalies; the Board’s comparison of security practices at other cloud service providers, which upheld controls that Microsoft lacked; and Microsoft’s oversight in identifying a compromise on an employee’s laptop from an acquired company before permitting its connection to Microsoft’s corporate network in 2021.

The Board’s conclusion was also influenced by Microsoft’s delay in correcting inaccurate public statements regarding the incident. Microsoft initially stated it had identified the root cause of the intrusion, which was later found to be inaccurate. Despite acknowledging this error to the Board in November 2023, Microsoft did not update the statement until March 12, 2024, during the Board’s review process and after repeated inquiries. 

Additionally, the Board noted a separate incident disclosed by Microsoft in January, outside the review’s scope, involving a compromise that allowed another nation-state actor access to sensitive Microsoft corporate email accounts, source code repositories, and internal systems. Microsoft’s essential products, supporting national security, the economy, and public health and safety, necessitate the highest standards of security, accountability, and transparency.

Throughout the review, the Board identified a series of Microsoft’s operational and strategic decisions that collectively indicate a corporate culture that placed less emphasis on enterprise security investments and robust risk management practices. To instigate the necessary cultural shift within Microsoft, the Board suggests that the company’s CEO and Board of Directors focus directly on enhancing the security culture. They recommend that Microsoft publicly share a plan with specific timelines for implementing fundamental security-focused reforms across the organization and its entire product range. 

The Board advises holding senior officers accountable for executing this plan. Additionally, Microsoft leadership should consider instructing internal teams to prioritize security enhancements over feature developments in the cloud infrastructure and product suite. This approach aims to prevent resource competition and ensure that security improvements are prioritized before deploying new features.

The CSRB recommends specific actions to CSPs and government partners to improve security and build resilience against the types of attacks conducted by Storm-0558 and associated groups. The Board is aware of Microsoft’s recent changes to its security leadership and the ‘Secure Future Initiative’ that it announced in November. The Board believes that these and other security-related efforts should be overseen directly and closely by Microsoft’s CEO and its Board of Directors and that all senior leaders should be held accountable for implementing necessary changes with utmost urgency. 

The Board recommends Microsoft’s customers would benefit from its CEO and Board of Directors directly focusing on the company’s security culture. The CEO and Board should develop, and share publicly, a plan with specific timelines to make fundamental, security-focused reforms across the company and its full suite of products, and then hold leaders at all levels of the company accountable for its implementation. Given the company’s critical importance to its more than one billion customers and the national security of this nation and, indeed, the entire world, progress in this area should be rapid and substantial. 

It also recommended that Microsoft leadership consider directing internal Microsoft teams to deprioritize feature developments across the company’s cloud infrastructure and product suite until substantial security improvements have been made. In all instances, security risks should be fully and appropriately assessed and addressed before new features are deployed.

Microsoft and all CSPs should heed the call and take accountability for the security outcomes of their customers, ensuring that senior leaders make security a business priority, creating internal incentives, and fostering an across-the-board culture to make security a design requirement. 

The Board notes that some CSPs, including Microsoft until recently, offer granular logging, which can be invaluable in security incident detection, investigation, and response—as a part of a paid package offering to their core services. This course of business should stop. Security-related logging should be a core element of cloud offerings and CSPs should provide customers with the foundational tools that provide them with the information necessary to detect, prevent, or quantify an intrusion, recognizing that many customers will still require additional or third-party analytic capabilities to build a fully mature security program.

In its 2024 Annual Threat Assessment, the Office of the Director of National Intelligence (ODNI) highlighted last month the growing fragility of the global order. The ODNI report expects that China remains the most active and persistent cyber threat to the U.S. government, private sector, and critical infrastructure networks.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.