In May-June 2023 a hacking group affiliated with the Chinese Ministry of State Security (known as Storm-0558) breached the email of several of Microsoft’s customers including the US State Department, the US Department of Commerce, several UK government organisations as well as customers in other countries. They also compromised the personal email accounts of key individuals involved in US relations with China.
The compromise was initially detected by one of Microsoft’s customers – the US State Department – because they had purchased a licence that gave them additional logging and they had created a special alerting rule that fired on unusual mailbox access (the “big yellow taxi” rule).
It eventually turned out that the access was due to Storm 0558, and that they had accessed the mailboxes by forging access tokens using a stolen signing key. Further:
- The key was from 2016 and should have expired, but Microsoft stopped rotating keys in 2020.
- The key was for consumer access, and shouldn’t have given access to enterprise customers.
- Despite a blog post to the contrary Microsoft has never figured out how the theft of the key took place.
- While Exchange Online was the only service breached, the key allowed Storm 0558 access to all Microsoft services.
- Customers who had not purchased the additional logging capability could not tell whether they had been breached – and Microsoft does not have those logs either.
The Cyber Safety Review Board (CSRB) – a group of government and private sector experts convened by the Department of Homeland Security – performed a review of the incident and issued a scathing report. The CSRB report was damning about Microsoft’s security overall, and their handling of the incident in particular. Here are some representative quotes:
“The Board finds that this intrusion was preventable and should never have occurred. The Board also concludes that Microsoft’s security culture was inadequate and requires an overhaul…” (p iii)
“Individually, any one of the failings described above might be understandable. Taken together, they point to a failure of Microsoft’s organizational controls and governance, and of its corporate culture around security.” (p 18)
“These decisions resulted in significant costs and harm for Microsoft customers around the world.” (p 18)
Importantly the CSRB found that this breach would not have happened at several of Microsoft’s competitors due to the technical security measures that they had in place.
The CSRB then went on to make 25 recommendations – to Microsoft, cloud service providers in general, and various parts of the US government.
If you are a client of ours, you may have some questions about the incident or the work we have done around Microsoft’s security and services. So, here are some general answers and thoughts. If you have any specific questions or concerns feel free to reach out to us at incidents@axenic.co.nz.
Were we affected?
According to Microsoft, all affected customers have now been contacted.
What should we do with our Microsoft stuff?
Should we get off Microsoft? Should we get off the cloud?
Nobody – and no cloud provider – has perfect security. Unless you are the sort of organisation likely to be targeted by nation state actors, we don’t think there is a significant increase in your risk of a compromise. Storm-0558 is a skilled and determined attacker behind two of the most spectacular hacks in recent history – they aren’t called Advanced Persistent Threats (APT) for nothing. This was a very sophisticated operation that took significant skill and expense. Unless you are likely to be targeted by similar organisations, we don’t think you should be worrying about this.
We also don’t recommend you get off the cloud – we certainly won’t be. Even with these issues Microsoft is still better than most of us at running IT securely. The many examples of widespread compromise of unpatched vulnerabilities of things like on-prem Exchange is evidence of that.
They are ISO 27001 certified how – did they get pwned?
Does this prove that the ISO 27001 certificates and SOC 2 reports are worthless?
There are three things to say about this. Firstly, both ISO 27001 and SOC2 are based on standards that are supposed to be widely applicable. If these standards described measures that were sufficient to defeat an APT then hardly any organisations in the world would meet them.
Secondly, these reports and certifications give us assurance that security mechanisms are in place. Our only other option is to audit providers ourselves – and most large CSPs (those with thousands of customers) just aren’t going to allow that. The expense of maintaining enough people to support all those audit requests alone would be humongous.
So, flawed instruments though they are, these certifications are the only thing that we have. They are the only way we can gain insight into the way large scale service providers secure themselves and their systems. And they still have significant value. Would your auditors have picked up the lack of key rotation? How expensive would that level of audit be for you?
Thirdly, having a compliant information security management system in place doesn’t mean that you won’t be hacked – it never has and it never will. It makes it less likely, and it means that you are better placed to manage the impacts if it does happen. But no-one is perfectly secure and these standards and reports don’t make that claim.
What is Microsoft doing about all this?
Microsoft has responded to the report by promising to make security a priority as well as implementing all of the CSRB’s recommendations. You can read their official announcement here.