Microsoft needs to make "fundamental" reforms to its security policies, according to US security officials, following the China-backed hack of Microsoft Exchange Online's systems last summer, which resulted in the attackers gaining access to US government email accounts.
After a seven-month review, where the Cybersecurity and Infrastructure Security Agency's Cyber Safety Review Board (CSRB) interviewed 20 different organizations and cybersecurity experts, the board concludes that the 2023 Exchange hack was entirely preventable. It blames Microsoft's "operational and strategic decisions" as well as its "corporate culture that deprioritized enterprise security investments" for the attack.
The CSRB, which notes that Redmond fully cooperated with its investigation, says Microsoft's security measures at the time were "at odds" with customer expectations, and recommends Microsoft create and share a plan for "fundamental, security-focused reforms across the company" with the public.
The board also recommends all cloud service providers adopt audit logging standards, digital identity protections, disclose cloud service incidents, notify victims of future breaches, and establish minimum best practices for cybersecurity.
"The threat actor responsible for this brazen intrusion has been tracked by industry for over two decades and has been linked to 2009 Operation Aurora and 2011 RSA SecureID compromises," said CSRB Acting Deputy Chair Dmitri Alperovitch in a statement.
"This People’s Republic of China affiliated group of hackers has the capability and intent to compromise identity systems to access sensitive data, including emails of individuals of interest to the Chinese government. Cloud service providers must urgently implement these recommendations to protect their customers against this and other persistent and pernicious threats from nation-state actors," Alperovitch added.
Notably, Microsoft acknowledges that it needs to "adopt a new culture of engineering security," a representative for the company tells PCMag via email.
"While no organization is immune to cyberattack from well-resourced adversaries, we have mobilized our engineering teams to identify and mitigate legacy infrastructure, improve processes, and enforce security benchmarks," the Microsoft rep said. "Our security engineers continue to harden all our systems against attack and implement even more robust sensors and logs to help us detect and repel the cyber-armies of our adversaries. We will also review the final report for additional recommendations."
Microsoft also pointed PCMag to a November 2023 article, which states the company plans to use "an AI-based cyber shield" to protect itself from future attacks.
Microsoft's Exchange services have been a target since at least 2021, with an estimated 10 different hacking groups exploiting various server flaws. Russian hackers also infiltrated Microsoft and accessed the tech giant's source code this year.
Lawmakers have also accused Microsoft of having poor cybersecurity, with Sen. Ron Wyden (D-Ore.) previously asking the Department of Justice to investigate Microsoft after the Chinese attack, alleging Microsoft was "negligent" and arguing that it "enabled" the 2023 hack.
Editor's Note: This story has been updated to include comment from Microsoft.