US Senator Ron Wyden has requested that the Department of Justice (DOJ), the Federal Trade Commission (FTC), and the Cybersecurity and Infrastructure Security Agency (CISA) investigate the recent hack of Microsoft email accounts. This request comes in the wake of a significant cyberattack that has raised serious concerns about the security of Microsoft's cloud services. The senator's call for action is a response to a hacking campaign that targeted organizations, including government agencies, that were Microsoft customers.
Ron Wyden Questions Microsofts Role
In a detailed letter, Wyden asked the agencies to examine whether Microsoft's security practices allowed the breach ahead of a diplomatic trip to China last month by officials including Commerce Secretary Gina Raimondo, Ambassador to China Nicholas Burns, and Assistant Secretary of State Daniel Kritenbrink. The senator stated, “Government emails were stolen because Microsoft committed another error.” He urged CISA to have its Cyber Safety Review Board investigate Microsoft's role, including how the company's practices went undetected during required audits.
It goes without saying that foreign governments shouldn't be able to hack into the email accounts of U.S. government officials. I'm demanding the federal government investigate how Microsoft's neglect of cybersecurity enabled this Chinese spying campaign. https://t.co/5IzukiCtOO
— Ron Wyden (@RonWyden) July 27, 2023
In his letter, Wyden further elaborated on the incident, stating that the email accounts compromised include those of the Secretary of Commerce, the U.S. Ambassador to China, and the Assistant Secretary of State for East Asia. Rob Joyce, the director of cybersecurity at the National Security Agency, has publicly described this hacking campaign as “China doing espionage.”
The senator also highlighted the role of Microsoft's identity service, Microsoft Account (MSA), in the incident. MSA validates that a user is who they claim to be – for example, by verifying the password for a @hotmail.com account – and issues “authentication tokens” that confirm that a user has been validated. Consumer-facing Microsoft products, such as Outlook, verify that a token is valid by checking that a token is digitally signed using an MSA encryption key.
Wyden's letter comes as a response to the disclosure by Microsoft Security of a massive cyberattack by a Chinese group named Storm-0558. The group hacked into the email accounts of dozens of U.S. government agencies and other organizations, exploiting a flaw in Microsoft's email security service. The senator's letter also highlighted that the hack occurred because hackers had stolen an encryption key that Microsoft had generated for its identity service, Microsoft Account (MSA).
Microsoft's Response and the Hackers' Identity
In a detailed response to the hack Microsoft Security has exposed the cyberattack, stating that the hackers exploited a flaw in its email security service to access the email accounts of about 25 organizations, including government agencies, think tanks, law firms, and NGOs. The hackers also targeted the personal accounts of some individuals associated with these organizations.
There are concerns that the stolen encryption keys may have allowed further access to federal systems. Wyden criticized Microsoft's handling of the hack, saying it failed to take responsibility for previous incidents like the 2020 SolarWinds campaign attributed to Russia. He also asked the DOJ to investigate if Microsoft violated federal law through negligent practices.
Behind the Storm-0558 attack was a compromised Microsoft key, dubbed Storm-0558, which was used to authenticate countless Microsoft 365 accounts without the need for a password or any other form of user verification. This key is part of Microsoft's SAML (Security Assertion Markup Language) system, which is used to exchange authentication and authorization data between parties. In this case, the key was being used to generate SAML tokens that were then used to authenticate Microsoft 365 accounts.
The compromised key was not just used to access individual accounts but also to gain access to entire organizations' Microsoft 365 systems. This means that the attackers could have potentially had access to a vast amount of sensitive data, including emails, documents, and other data stored in these systems.
In response to the discovery, Microsoft has revoked the compromised key and is working to strengthen its security measures. However, the damage has already been done, and it is unclear how many accounts were accessed using the compromised key. Microsoft has taken several steps to address the issue, including identifying the root cause, establishing durable tracking of the campaign, disrupting malicious activities, hardening the environment, notifying every impacted customer, and coordinating with multiple government entities.
The Future of Cybersecurity
The Storm-0558 incident is a stark reminder of the importance of robust security measures. Even the most secure systems can be compromised, and organizations must be proactive in their security measures to protect their data and their customers. In the wake of this incident, cybersecurity experts from Wiz have recommended that organizations review their security measures and ensure that they are up to date. This includes regularly updating passwords, using multi-factor authentication, and regularly monitoring for any suspicious activity. The Storm-0558 incident is a wake-up call for the cybersecurity world. It shows that even the most secure systems can be compromised and that constant vigilance is necessary to protect against these threats.