US Gov report slams Microsoft over email hack—'The Board finds that this intrusion was preventable and should never have occurred'

Microsoft campus
(Image credit: Microsoft/Getty Images)

Last year, Microsoft disclosed that a Chinese hacking group referred to as "Storm-0558" was responsible for a security breach that led to the access of the email accounts of around 25 organisations, including some US government agencies. The federal Cyber Safety Review Board has just released its report on the incident, identifying a "cascade of Microsoft's avoidable errors that allowed this intrusion to succeed". Ouch.

The Cyber Safety Review Board is composed of multiple officials from several US government departments including the Department of Homeland Security, the NSA and the FBI (via Ars Technica) and several industry leaders, and was tasked with creating the report [pdf] under a mandate from President Biden in response to the attack. 

In a somewhat scathing review, the board found that not only were Microsoft's security practices "lacking" in comparison to other cloud providers, but that public statements released surrounding the attack were "inaccurate" and not corrected in a timely manner. 

Microsoft said at the time that a consumer signing key was acquired by Storm-0558 which was used to forge tokens for the cloud service that stores login keys, and that this was caused by a validation error in its codebase, later changing this explanation to a claim that an engineers account was hacked, and that "human errors" were to blame for allowing an expired signing key to be used to forge tokens.

However, the report revealed that Microsoft has still yet to determine the exact root cause of the breach, and noted that the company only updated its blog posts discussing the attack in March of this year, roughly at the same time the board was concluding its review and "only after the Boards repeated questioning about Microsoft's plan to issue a correction".

The attack itself was originally detected by State Department officials in June of last year, who then went on to notify Microsoft about the breach. The report cites that this was only possibly because the department had paid for a higher tier of Microsoft cloud services that allowed them to set up an alert for notable mail access—called rather charmingly "Big Yellow Taxi"—which was then triggered when the hackers attempted to download more than 60,000 emails.

In summation, the report makes several recommendations to prevent future security failings, including a renewed focus on security culture, a shift from the prioritisation of feature developments to security improvements, a move towards taking accountability for the security outcomes of customers, and a focus on providing customers with tools that allow them to detect, prevent or quantify a future intrusion.

Your next machine

Gaming PC group shot

(Image credit: Future)

Best gaming PC: The top pre-built machines.
Best gaming laptop: Great devices for mobile gaming.

"Microsoft’s products and services are ubiquitous. It is one of the most important technology companies in the world, if not the most important."

"Unfortunately, throughout this review, the Board identified a series of operational and strategic decisions that collectively point to a corporate culture in Microsoft that deprioritized both enterprise security investments and rigorous risk management. These decisions resulted in significant costs and harm for Microsoft customers around the world. The Board is convinced that Microsoft should address its security culture."

While this report is damning in its findings, Microsoft is not the only victim of the hacking group's attempts to breach major security networks. Storm-0558 was noted as having a history of stealing authentication keys for cloud services from global providers, and making something of a menace of itself in the process. 

Still, a significant slap on the wrist for Microsoft, and a summation that doesn't hold back on its critique of its security practices. Given that Microsoft's Azure cloud platform is used by vast numbers of major companies and institutions to handle potentially very sensitive data, this may serve as a wakeup call for the company to focus on security concerns in order to prevent customers from looking elsewhere. 

Andy Edser
Hardware Writer

Andy built his first gaming PC at the tender age of 12, when IDE cables were a thing and high resolution wasn't—and he hasn't stopped since. Now working as a hardware writer for PC Gamer, Andy's been jumping around the world attending product launches and trade shows, all the while reviewing every bit of PC hardware he can get his hands on. You name it, if it's interesting hardware he'll write words about it, with opinions and everything.

Read more
Mister Fantastic giving a thumbs up
A Marvel Rivals player has uncovered 'one of the most dangerous vulnerabilities a game can have' that'll let cheaters take over your PC and find your passwords
Microsoft Windows 11
If you installed Windows 11 with certain security updates and a USB stick, you may not get any more security updates warns Microsoft
An FBI wanted poster for alleged hacker Zhou Shuai.
US Justice Dept announces $10 million bounty on at-large 'hacker-for-hire' cabal it says targeted China critics, religious missionaries, and the Treasury
Microsoft Majorana 1 quantum processor
'This is essentially a fraudulent project': Some scientists are firing shots at Microsoft's recent quantum computing claims
Path of Exile 2 early access class key art
Around 66 accounts in Path of Exile 2 were compromised, due to a one-two punch of an old unused Steam account and a backend bug
Three Magikarp Pokémon
The FBI used self-destruct on malware infecting over 4,000 US computers, it's super effective
Latest in Security
An FBI wanted poster for alleged hacker Zhou Shuai.
US Justice Dept announces $10 million bounty on at-large 'hacker-for-hire' cabal it says targeted China critics, religious missionaries, and the Treasury
Kinzie, in an FBI jacket, uses a computer with the logo of the Third Street Saints on it
Have I Been Pwned adds over 284 million compromised passwords from latest breach
A still from a YouTube video of Senator Mark Warner speaking
Telecoms hack on US government officials is 'worst in nations history' and 'the barn door is still wide open' says senator
HDMI cable
Hackers can wirelessly spy on your display by collecting HDMI signal leaks and churning them through an AI, but I wouldn't break out the tin foil just yet
Computer code and text displayed on computer screens. Photographer: Chris Ratcliffe/Bloomberg
Forcing users to periodically change their passwords should go the way of the dodo according to the US government
An original Apple Macintosh Model M0001, as they celebrate 40th anniversary, is on display in between 2024 Apple models at the independent Apple products store chain Amac, on January 24, 2024 in Utrecht, The Netherlands. Based on the Motorola 68000 microprocessor, the Macintosh was the first successful mouse-driven computer with a graphical user interface.
Major browser providers scramble to patch an 18-year-old vulnerability affecting MacOS and Linux systems but Windows remains gloriously immune
Latest in News
The NES themed 8BitDo Retro mechanical gaming keyboard on a blue background
I love the 8BitDo Retro C64 keyboard but I'd pick its cheaper NES-themed model near its lowest price ever during Amazon's Big Spring Sale
gta 6 trailer
Publishers 'don't want to be anywhere near' Grand Theft Auto 6 when it launches: 'It's proving to be very stressful'
Microsoft's iconic Bliss wallpaper
From pixels to pinot: The Windows XP 'Bliss' wallpaper hill was real and this is what it looks like now
A female Zoi making two hearts with her fingers.
Following 24 hours of Denuvo-based backlash, Inzoi is taking a surprising step and removing it entirely: 'We want to sincerely apologise for not aligning more closely with player expectations'
An image of a Helldiver from Helldivers 2 shooting at a red dragon from Dungeons & Dragons.
'Ok, so dragon builds are a thing now': galaxy-brained Helldivers 2 player incinerates a bile titan with a hover pack and a flamethrower
An ancient, angry stone mech from No Man's Sky's new Relics update
No Man’s Sky lets you unearth ancient, angry mechs in the astro-archaeology filled Relics update