A scathing US government report found that an intrusion into Microsoft servers by a Chinese hacking group, which breached the emails of multiple senior US officials, was due to a “cascade of avoidable errors” by the tech giant.
The Cyber Safety Review Board (CSRB), led by the US Department of Homeland Security, conducted a seven-month investigation into the incident that involved the China-affiliated cyberespionage actor Storm-0558.
The operation, which was first discovered by the US State Department in June 2023, included hacks on the official and personal mailboxes of Commerce Secretary Gina Raimondo and US Ambassador to China Nicholas Burns.
Microsoft’s core business is to provide cloud computing services, such as Azure or Office360, that host sensitive data and power business and government operations across major sectors of the economy.
The report, which was released on Monday, criticized a Microsoft corporate culture that was “at odds with the company’s centrality in the technology ecosystem and the level of trust customers place in the company.”
“Cloud computing is some of the most critical infrastructure we have, as it hosts sensitive data and powers business operations across our economy,” said CSRB Chair Robert Silvers.
“It is imperative that cloud service providers prioritize security and build it in by design,” he added.
The review identified a series of operational and strategic decisions by Microsoft that opened the door to the breach, including the failure to identify a new employee’s compromised laptop following a corporate acquisition in 2021.
It also found that Microsoft fell short of safety standards seen at competing cloud companies, including Google, Amazon and Oracle.
“The Board finds that this intrusion was preventable and should never have occurred,” the review said, pinpointing “the cascade of Microsoft’s avoidable errors that allowed this intrusion to succeed.”
The report also recommended that Microsoft develop and publicly release a plan with timelines to enact wide-ranging security reforms across its products and practices.
CSRB Deputy Chair Dmitri Alperovitch called Storm-0558 and similar actors a “persistent and pernicious threat” that had “the capability and intent to compromise identity systems to access sensitive data, including emails of individuals of interest to the Chinese government.”
The government thanked Microsoft, which did not immediately reply to a request for comment, for fully cooperating with its review.