In a letter to Microsoft CEO Satya Nadella, Senator Ron Wyden (D-OR) has called on the company to be held accountable for a recent hack that allowed Chinese hackers to access the email accounts of government agencies and other organizations.
Senator Wyden’s letter was addressed to Attorney General Merrick Garland, Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Trade Commission (FTC).
The hack exploited a vulnerability in Microsoft’s 365 (formerly Office), Exchange, and Outlook.com software. While the hack did not access classified data, it remains sensitive and highly embarrassing.
Microsoft has named the Chinese-based hacking group as the advanced persistent threat group Storm-0558.
Storm-0558 hack bypassed multi-factor authentication
The vulnerability allowed the hackers to steal an encryption key that could be used to create forged tokens for Microsoft-hosted accounts. These forged tokens could then be used to access the accounts without knowing the passwords. It could even access accounts protected with multi-factor authentication.
Wyden said that Microsoft’s “negligence” in securing the encryption key allowed the hackers to gain access to the accounts. He has asked the Justice Department, CISA, and the FTC to investigate whether Microsoft violated any laws or regulations.
Wyden also noted that this is not the first time that a foreign government has hacked government agencies by exploiting Microsoft vulnerabilities. In 2013, Chinese hackers were able to steal classified information from the State Department’s unclassified email system by exploiting a vulnerability in Microsoft’s Outlook software.
Microsoft responds to cybersecurity attacks
Microsoft has said that it is “committed to the highest levels of security” and that it is “working closely with law enforcement” to investigate the hack. The company has also said that it has taken steps to protect its customers from future attacks.
“This incident demonstrates the evolving challenges of cybersecurity in the face of sophisticated attacks. We continue to work directly with government agencies on this issue, and maintain our commitment to continue sharing information at Microsoft Threat Intelligence blog,” a Microsoft spokesperson said.
Software supply chain cyber threats remain a top vulnerability
This isn’t the first time that a nation-state or foreign government-affiliated hacking group has exploited the software supply chain at a global scale.
In 2020, Kremlin-affiliated hackers in Russia exploited SolarWinds, which utilized a similar hacking technique of compromising the software supply chain. The damages are estimated in billions of dollars and affected over 18,000 organizations globally.
The hack is a serious security incident that has the potential to have far-reaching consequences. It is important that Microsoft and other technology companies take steps to protect their customers from future attacks.
