The US Cyber Safety Review Board says the targeted hack by Chinese operatives on top government officials’ emails last year was “preventable” and blamed technology giant Microsoft.
The hacking group Storm-0558, linked to the People’s Republic of China, carried out the intrusion by compromising a Microsoft engineer’s corporate account.
In its report, the board pointed to a series of “operational and strategic” decisions by Microsoft that compromised enterprise security and led to the July breach. It concluded that its security culture was “inadequate” and “requires an overhaul.”
The board also criticized what it described as Microsoft’s deliberate lack of transparency and
urged the company to implement and prioritize security-focused reforms across its entire range of products.
“The Board believes that Microsoft’s customers would benefit from its CEO and Board of Directors directly focusing on the company’s security culture and developing and sharing publicly a plan with specific timelines to make fundamental, security-focused reforms across the company and its full suite of products,” the review board wrote.
According to the report, Microsoft has yet to determine how the hackers breached their system.
“While no organization is immune to cyberattack from well-resourced adversaries, we have mobilized our engineering teams to identify and mitigate legacy infrastructure, improve processes, and enforce security benchmarks,” a Microsoft spokesperson said in a statement.
They added the company will “continue to harden all our systems against attack and implement even more robust sensors and logs to help us detect and repel the cyber-armies of our adversaries.”
In July, Storm-0558 hacked into the email accounts of 22 organizations and over 500 individuals worldwide. Among the targets was the US ambassador to China, Nicholas Burns. Microsoft revealed in a blog post that this group has conducted similar hacks since at least 2009, breaching cloud providers or swiping authentication keys to access accounts. Their targets have included major companies like Google, Yahoo, Adobe, Dow Chemical, and Morgan Stanley.