A US senator is calling on the Justice Department to hold Microsoft responsible for “negligent cybersecurity practices” that enabled Chinese espionage hackers to steal hundreds of thousands of emails from cloud customers, including officials in the US Departments of State and Commerce.
“Holding Microsoft responsible for its negligence will require a whole-of-government effort,” Ron Wyden (D-Ore.) wrote in a letter. It was sent on Thursday to the heads of the Justice Department, Cybersecurity and Infrastructure Security Agency, and the Federal Trade Commission.
Bending over backward
Wyden’s remarks echo those of other critics who say Microsoft is withholding key details about a recent hack. In disclosures involving the incident so far, Microsoft has bent over backwards to avoid saying its infrastructure—including the Azure Active Directory, a supposedly fortified part of Microsoft’s cloud offerings that large organizations use to manage single sign-on and multifactor authentication—was breached. The critics have said that details Microsoft has disclosed so far lead to the inescapable conclusion that vulnerabilities in code for Azure AD and other cloud offerings were exploited to pull off the successful hack.
The software maker and cloud provider indicated that the compromise resulted from the triggering of weaknesses in either Azure AD or its Exchange Online email service. Microsoft’s Threat Intelligence team has said that Storm-0558, a China-based hacking outfit that conducts espionage on behalf of that country’s government, exploited them starting on May 15. Microsoft drove out the attackers on June 16 after a customer tipped off company researchers of the intrusion. By then, Storm-0558 had breached accounts belonging to 25 organizations.
Microsoft has used amorphous terms such as “issue,” “error,” and “flaw” when attempting to explain how the nation-state hackers tracked the email accounts of some of the company’s biggest customers. One such weakness allowed the attackers to acquire an expired Microsoft Account encryption key that’s used to log consumers into Exchange accounts. Thirteen days ago, the company said it didn’t yet know how Storm-0558 acquired the key and has yet to provide any updates since.
Microsoft said an “in-depth analysis” found that the hackers were able to use the Microsoft Account, abbreviated as MSA, key to forge valid Azure AD login tokens. While Microsoft had intended MSA keys to sign only tokens for consumer accounts, the hackers managed to use it to sign tokens for access to Azure AD. The forgery, Microsoft said, “was made possible by a validation error in Microsoft code.”
Wyden called on US Attorney General Merrick B. Garland, Cybersecurity and Infrastructure Security Agency Director Jen Easterly, and Federal Trade Commission Chair Lina Khan to hold Microsoft accountable for the breach. He accused Microsoft of hiding the role it played in the SolarWinds supply chain attack, which Kremlin hackers used to infect 18,000 customers of the Austin, Texas, maker of network management software. A subset of those customers, including nine federal agencies and 100 organizations, received follow-on attacks that breached their networks.
He likened those practices in the SolarWinds case to those that he said led to the more recent breach of the Departments of Commerce and State and the other large customers.
In Thursday’s letter, Wyden wrote:
Even with the limited details that have been made public so far, Microsoft bears significant responsibility for this new incident. First, Microsoft should not have had a single skeleton key that, when inevitably stolen, could be used to forge access to different customers’ private communications. Second, as Microsoft pointed out after the SolarWinds incident, high-value encryption keys should be stored in an HSM, whose sole function is to prevent the theft of encryption keys. But Microsoft’s admission that they have now moved consumer encryption keys to a “hardened key store used for our enterprise systems” raises serious questions about whether Microsoft followed its own security advice and stored such keys in an HSM. Third, the encryption key used in this latest hack was created by Microsoft in 2016, and it expired in 2021. Federal cybersecurity guidelines, industry best practices, and Microsoft’s own recommendations to customers, dictate that encryption keys be refreshed more frequently, for the very reason that they might become compromised. And authentication tokens signed by an expired key should never have been accepted as valid. Finally, while Microsoft’s engineers should never have deployed systems that violated such basic cybersecurity principles, these obvious flaws should have been caught by Microsoft’s internal and external security audits. That these flaws were not detected raises questions about what other serious cybersecurity defects these auditors also missed.
Wyden’s remarks came six days after researchers from security firm Wiz reported that the MSA key acquired by the hackers gave them the ability to forge tokens for multiple types of Azure Active Directory applications. They include all applications that support personal account authentication, such as SharePoint, Teams, OneDrive, and some custom applications.
“The full impact of this incident is much larger than we Initially understood it to be,” the Wiz researchers wrote. “We believe this event will have long lasting implications on our trust of the cloud and the core components that support it, above all, the identity layer which is the basic fabric of everything we do in cloud. We must learn from it and improve.”
Microsoft remains tight-lipped
Asked to respond to Wyden’s claim that Microsoft hasn’t been transparent about its role in the latest breach, the company released a two-sentence statement. “This incident demonstrates the evolving challenges of cybersecurity in the face of sophisticated attacks,” it read. “We continue to work directly with government agencies on this issue, and maintain our commitment to continue sharing information at Microsoft Threat Intelligence blog.”
Wyden has long been known for his grasp of technical details involving cybersecurity and privacy, and his latest letter was no exception. When discussing the SolarWinds incident and Microsoft’s response to it, the senator wrote:
This is not the first espionage operation in which a foreign government hacked the emails of United States government agencies by stealing encryption keys and forging Microsoft credentials. The Russian hackers behind the 2020 SolarWinds hacking campaign used a similar technique, with a noteworthy difference. There, the targets were organizations that ran Microsoft’s identity management software on their own servers, rather than relying on Microsoft’s cloud service for user authentication, Azure Active Directory (Azure AD). That Microsoft software defaulted to not warning administrators when their organizations’ digital identity encryption keys were removed — even though removal is a rare event strongly indicative of suspicious activity. Moreover, while Microsoft had known since 2017 that such keys could be quietly exfiltrated from customer servers running its software, it failed to warn its customers, including government agencies, about this risk. Microsoft never took responsibility for its role in the SolarWinds hacking campaign. It blamed federal agencies for not pushing it to prioritize defending against the encryption key theft technique used by Russia, which Microsoft had known about since 2017. It blamed its customers for using the default logging settings chosen by Microsoft, and then blamed them for not storing the high-value encryption keys in a hardware vault, known as a Hardware Security Module (HSM). Instead, Microsoft used the incident as an opportunity to promote its Azure AD product. After a 2021 Senate Intelligence Committee hearing focused on the SolarWinds incident, Microsoft’s President Brad Smith told the committee that “[t]hose who want the best security should move to the cloud.” Microsoft’s customers heard the message—it is too hard to secure these keys on your own servers, so let Microsoft do it for you. In the three years since that high-profile hacking campaign, Microsoft’s cloud security business revenues have ballooned to over $20 billion a year.
Wyden went on to say some blame also falls on the Biden administration. In 2021 Biden issued an executive order that created a Cyber Safety Review Board and tasked it, among other things, with studying the SolarWinds attack. The SolarWinds review never took place.
“I have repeatedly pushed CISA and DHS [Department of Homeland Security] to direct the Board to study the SolarWinds incident, but have been rebuffed,” he wrote. “Had that review taken place, it is quite likely that Microsoft’s poor data security practices around encryption keys would have come to light, and this most recent incident might have been averted.”
Wyden called on Easterly to direct the board to investigate the SolarWinds incident, with a focus on whether Microsoft stored the encryption key stolen in the breach in an HSM. He urged Garland to examine whether Microsoft’s “negligent practices violated federal law.” And he called on Khan to investigate Microsoft’s privacy and data security practices to determine if they violated laws enforced by the FTC.