Microsoft Exchange state-linked hack entirely preventable, cyber review board finds

David Jones / Cybersecurity Dive

April 4, 2024

1 Min Read
Microsoft Exchange state-linked hack entirely preventable, cyber review board finds

Dive Brief:

  • The state-linked intrusion on Microsoft Exchange Online that led to the theft of about 60,000 U.S. State Department emails last summer “was preventable and should never have occurred”, the Cyber Safety Review Board said Tuesday in a report.

  • A series of operational and strategic decisions by Microsoft pointed to a corporate culture that deprioritized investments in enterprise security and rigorous risk management, despite the central role the company plays in the larger technology ecosystem, the report said.

  • The CSRB urged Microsoft to publicly share its plans to make fundamental, security focused reforms across the company and its suite of products. The board also recommended that all cloud services providers and government partners enact security-focused changes.

Dive Insight:

The China-affiliated threat actor Microsoft identifies as Storm-0558 compromised the Microsoft Exchange Online mailboxes of 22 organizations and more than 500 individuals in the attacks, which began in May 2023.

The attacks compromised the individual mailboxes of key U.S. officials, including Commerce Secretary Gina Raimondo, Rep. Don Bacon, R-Neb., and Nicholas Burns, the U.S. ambassador to China.

The report highlights the need to overhaul not only security practices within Microsoft, but the larger body of cloud services that serve a critical role for companies, government agencies and other organizations across the U.S.

“Cloud computing is some of the most critical infrastructure we have, as it hosts sensitive data and powers business operations across our economy,” Rob Silvers, under secretary of policy at the Department of Homeland Security and chair of the CSRB, said in the announcement. “It is imperative that cloud service providers prioritize security and build it in by design.”

To read the complete article, visit Cybersecurity Dive.

 

About the Author

David Jones / Cybersecurity Dive

David Jones / Cybersecurity Dive

See more from David Jones / Cybersecurity Dive
Subscribe to receive Urgent Communications Newsletters
Catch up on the latest tech, media, and telecoms news from across the critical communications community
Sign Me Up

Recent

thumbnail
Regulations
Trump names Brendan Carr as next FCC chairmanTrump names Brendan Carr as next FCC chairman
byDonny Jackson
Nov 19, 2024
4 Min Read
thumbnail
AI & Analytics
Google, NLC issue AI guide for city leadersGoogle, NLC issue AI guide for city leaders
byYsabelle Kempe
Nov 17, 2024
1 Min Read
thumbnail
Tracking, Monitoring & Control
With new leadership, NextNav and Anterix boast of 900MHz momentumWith new leadership, NextNav and Anterix boast of 900MHz momentum
byMike Dano / Light Reading
Nov 17, 2024
2 Min Read
thumbnail
Public Safety
ZeroEyes earns key DHS designation, reducing legal liability for customersZeroEyes earns key DHS designation, reducing legal liability for customers
byDonny Jackson
Nov 16, 2024
4 Min Read