The Cyber Safety Review Board (CSRB) has released a damning report on Tuesday that claimed serious errors by Microsoft allowed a Chinese hack that targeted the emails of top U.S. government officials.
The report, released by the U.S. Department of Homeland Security, came after an independent review of the Summer 2023 Microsoft Exchange Online intrusion.
This is the third review the CSRB has completed since President Biden mandated the Board through an executive order in February 2022.
The CSRB determined that Microsoft could have prevented Storm-0558’s hack, a nefarious group affiliated with the People’s Republic of China. They pointed to several operational and strategic decisions that underscored a corporate culture that failed to prioritize security and risk management.
MICROSOFT WARNS RUSSIAN HACKERS ARE USING EXECS’ STOLEN EMAILS TO BROADEN CYBERATTACKS
The State Department detected the breach last June. It was discovered because the agency was paying for a higher-tier service that showed audit logs, which revealed that the hackers had obtained around 60,000 emails. According to The Washington Post, Microsoft says it will now provide agencies with that service free of charge.
The Board wrote that the company’s “security culture was inadequate and requires an overhaul” and the attack was caused by a “cascade of avoidable errors.”
The report also suggested that Microsoft was not fully transparent about what they knew regarding the origin of the attack.
It was determined that Microsoft failed to correct inaccurate statements for months that residual data from a widespread system crash had caused the breach. Microsoft, according to the Board, continues to say they are unsure if this event led to the attack.
“Microsoft’s decision not to correct in a timely manner its inaccurate public statements about this incident, including a corporate statement that Microsoft believed it had determined the likely root cause of the intrusion when in fact, it still has not,” the report noted.
Microsoft has admitted they “have not found a crash dump containing the impacted key material.”
MICROSOFT SAYS RUSSIAN STATE-SPONSORED HACKERS BROKE INTO SOME COMPANY EMAILS
The company updated its public statements on March 12 when it was determined the review was reaching its conclusion.
Microsoft was asked to develop and publicly share a plan, including a timeline, for reforms across its company and products.
“We appreciate Microsoft’s full cooperation in the course of the Board’s seven-month, independent review. We also appreciate the input received from 19 additional companies, government agencies, and individual experts,” DHS Under Secretary of Policy and CSRB Chair Robert Silvers said in a statement announcing the review’s completion.
GET FOX BUSINESS ON THE GO BY CLICKING HERE
Microsoft has been the victim of several breaches in recent years.
In 2021, hackers affiliated with China accessed Microsoft Exchange email servers, compromising 30,000 public and private organizations in the U.S. alone.
The SVR, a Russian spy entity, attacked Microsoft’s corporate email systems in January.
The infamous 2020 SolarWinds attack by Russian hackers was also orchestrated in part by exploiting a program Microsoft provides to companies. The program allows companies to authenticate the identity of employees on their email systems.
Microsoft did not immediately return Fox News Digital’s request for comment.