Demanding answers for Microsoft’s cyber vulnerabilities

Microsoft Faces Mounting Scrutiny Over China-Linked Email Hack

Leading lawmaker accuses tech company of security negligence that enabled spying campaign

July 27, 2023 9:00 am ET



Microsoft says hackers got to the emails by first gaining access to an obscure but critical part of its infrastructure called an MSA digital signing key. PHOTO: JACOB KEPLER FOR THE WALL STREET JOURNAL

Microsoft is attracting renewed scrutiny and accusations of negligent security over a hack that allowed China to spy on top Biden administration officials, as some security researchers say the breach may be worse than initially suspected.

The Chinese hack, disclosed earlier this month, compromised the unclassified Microsoft email inboxes of senior State Department officials, including the U.S. ambassador to China, as well as Commerce Secretary Gina Raimondo and others, according to U.S. officials.

Full details about the attack, including how it began, aren’t publicly known, but it has prompted a number of congressional inquiries. On Thursday a leading lawmaker on cybersecurity issues, Sen. Ron Wyden (D-Ore.), asked for three separate federal probes of Microsoft’s “negligent cybersecurity practices” that he said enabled a Chinese espionage campaign against the U.S. government.

“Even with the limited details that have been made public so far, Microsoft bears significant responsibility for this new incident,” Wyden said in the letter, which is addressed to Attorney General Merrick Garland, Federal Trade Commission Chair Lina Khan and Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency.

Microsoft said the hackers obtained access to an obscure but critical part of its infrastructure called an MSA digital signing key, which was then used to gain access to customer data. The company has explained aspects of the hack in blog posts but said how it unfolded is currently unknown. The tech company also said it would make certain tools that can help spot cyberattacks free, after its tiered payment system for those services drew criticism following the hack.

A Microsoft spokesman said that the company is working with government agencies and is committed to sharing information about the hack. “This incident demonstrates the evolving challenges of cybersecurity in the face of sophisticated attacks,” he said.

“These signing keys are the most precious secret that you have,” said Ami Luttwak, co-founder of the cloud-security company Wiz, in an interview. “It’s like you have a printing machine to all of the passports in the world: You can become anyone that you want.”

The U.S. says the hack compromised the unclassified Microsoft email inboxes of officials including Commerce Secretary Gina Raimondo. PHOTO: NATHAN HOWARD/BLOOMBERG NEWS

Researchers at Wiz said that the digital key that was obtained had been issued in 2016 and wasn’t taken out of service until a few weeks after the attack was discovered.

The Microsoft spokesman said the Wiz findings presented “hypothetical attack scenarios” that the company hasn’t observed.

MSA keys can be used to gain access to Microsoft’s consumer products, but because of a flaw in Microsoft’s cloud, the hackers were able to use the stolen key to access government and corporate accounts, according to Microsoft.

Security experts and Wyden questioned several Microsoft practices, including apparently allowing the same MSA key to be used for years.

“Federal cybersecurity guidelines, industry best practices, and Microsoft’s own recommendations to customers, dictate that encryption keys be refreshed more frequently, for the very reason that they might become compromised,” Wyden said.

Digital certificates also played a role in Russia’s SolarWinds hack, discovered in 2020. Wyden also faulted Microsoft for its role in that incident.

Although experts praised Microsoft for providing some details about the Chinese hack, some have called for more disclosure, saying it is needed to determine the extent of the damage and whether it could happen again.

“My concern here is that we don’t know how the key got away,” said Karim El-Melhaoui, principal security architect with security company O3 Cyber.

In his letter, reviewed by the Journal, Wyden asked the Justice Department to investigate whether Microsoft violated federal law relating to cybersecurity standards for government contractors. He also asked the FTC to investigate Microsoft’s privacy and data-security practices, including whether the alleged security lapses at issue in the hack began before the expiration in December of a 20-year consent decree the agency imposed following an earlier security incident.

Share this article

  • Facebook
  • Twitter
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS