Senator Wyden: Microsoft is Responsible for China-Linked Group’s Hack – Source: securityboulevard.com

US Senator Ron Wyden (D-OR) is asking government enforcement agencies to hold Microsoft responsible for the hack by a Chinese-linked threat group that reportedly led to hundreds of thousands of emails from top US officials being stolen and was caused by the IT giant’s “negligent cybersecurity practices.”

In a sharply worded letter this week to the Attorney General Merrick Garland, Cybersecurity and Infrastructure Security Agency (CISA), and Federal Trade Commission (FTC), Wyden wrote that “even with the limited details that have been made public so far, Microsoft bears significant responsibility for this new incident.”

The letter stems from an attack by the advanced persistent threat (APT) group Storm-0558, which stole a Microsoft signing key and hacked its way into Microsoft 365 and Exchange Online accounts, stealing email from government and corporate accounts.

In an advisory July 12, CISA and the FBI said an agency of the Federal Civilian Executive Branch (FCEB) saw “unexpected events” in Microsoft 365 audit logs and reported it to Microsoft, which said it was malicious activity.

The advisory came a day after Microsoft issued two blog posts pointing to a malicious campaign by Storm-0558 and steps the vendor took to mitigate the threat. In another post July 14, the Microsoft Threat Intelligence team said Storm-0558 – which it described as a “China-based threat actor with espionage objectives” – began using forged authentication tokens May 15 to access user email accounts of about 25 government agencies and other public cloud customers.

Such tokens are used by identity providers like Azure Active Directory to authenticate the identity of entities asking for access to resources, like emails. Storm-0558 got ahold of an inactive Microsoft account signing key and used it to forge authentication tokens.

“Since the hackers stole an MSA encryption key, the hackers could create fake authentication tokens to impersonate users and gain access to Microsoft-hosted consumer accounts, even if a user’s account was protected with multi-factor authentication and a strong password,” Wyden wrote in his letter.

Microsoft initially said Exchange Online and Outlook.com were vulnerable to the hack. However, a report by cybersecurity firm Wiz noted that the compromised MSA key also could have allowed the threat group to forge access tokens for other Azure AD applications, including SharePoint, Teams, and OneDrive.

The Key Role of Audit Logs

Also at issue were audit logs. CISA noted that the hack was detected by the FECB by anomalous behavior on audit logs and encouraged all agencies to ensure audit logging was enabled in their infrastructures. In response to the attack, Microsoft on July 19 said it is expanding access to more Microsoft 365 customers at no additional cost, making it easier for them to detect and analyze cybersecurity incidents.

Still, Microsoft must bear the brunt of the responsibility for the hack, Wyden wrote. He noted that in the high-profile supply-chain attack on SolarWinds in 2020, the Russian-linked group Nobelium used a similar method, though the targets there were organizations running servers on premises, not in the cloud.

The senator wrote that rather than taking responsibility then, Microsoft blamed federal agencies and its customers for not sufficiently hardening their security and then “used the incident as an opportunity to promote its Azure AD product.”

Wyden also noted that in the intervening three years, revenues for Microsoft’s cloud security business have reached $20 billion. Given that, “holding Microsoft responsible for its negligence will require a whole-of-government effort,” the senator wrote.

Getting Government Agencies Involved

He is asking the AG’s office to determine whether Microsoft’s cybersecurity practices broke federal law and CISA Director Jen Easterly to investigate the incident. At the same turn, he wants FTC Chair Kina Khan to “investigate Microsoft’s privacy and data security practices related to this incident to determine if Microsoft violated federal laws enforced by the Federal Trade Commission, including those prohibiting unfair and deceptive business practices.”

He also put some of the blame on the Biden Administration, CISA, the Department of Homeland Security for not following through with a promised audit of the SolarWind attack, writing that if the review had happened, “it is quite likely that Microsoft’s poor data security practices around encryption keys would have come to light, and this most recent incident might have been averted.”

A Microsoft spokesperson didn’t directly address Wyden’s letter, telling Security Boulevard that “this incident demonstrates the evolving challenges of cybersecurity in the face of sophisticated attacks. We continue to work directly with government agencies on this issue.”

The spokesperson also said Microsoft will continue sharing information about the incident on its threat intelligence blog.