Microsoft slammed over security flaws that led to Chinese attack on Exchange systems

An abstract image of digital security.
(Image credit: Shutterstock) (Image credit: Shutterstock)

In the summer of 2023, Microsoft Exchange Online was hit in a series of intrusions by a People's Republic of China (PRC) backed actor tracked as Storm-0558, who gained access to the mailboxes of 22 organizations.

The mailboxes were used by over 500 people, and compromised a number of US government representatives including Commerce Secretary Gina Raimondo, US Ambassador to the PRC R. Nicholas Burns, and Congressman Don Bacon.

Microsoft Exchange Online uses signing keys to securely authenticate access to remote systems, and Storm-0558 managed to obtain a legitimate signing key which, when used in conjunction with another Exchange Online vulnerability, could have allowed them to access any account in the world.

Cloud security “has never been more important”

The attack has since been found to have been preventable, according to a report by the Department of Homeland Security (DHS) and the Cyber Safety Review Board (CSRB), stating that there were decision made pointing to “a corporate culture that deprioritized enterprise security investments and rigorous risk management, at odds with the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations.”

The review found that Microsoft’s negligence in signing key rotation resulted in a 2016 key remaining active in 2023. Furthermore, a number of critical security controls that were standard practice for other CSPs at the time of the attack were not in place, which could have detected and prevented an intrusion of this scale.

Microsoft were also found to have issued conflicting communications at the time of the incident, stating that the 2016 key was likely stolen during a “crash dump,” then later stating that there was no evidence to suggest the key was stolen in this scenario.

CSRB Acting Deputy Chair Dmitri Alperovitch said, “This People’s Republic of China affiliated group of hackers has the capability and intent to compromise identity systems to access sensitive data, including emails of individuals of interest to the Chinese government. Cloud service providers must urgently implement these recommendations to protect their customers against this and other persistent and pernicious threats from nation-state actors.”

More from TechRadar Pro

Benedict Collins
Staff Writer (Security)

Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division),  then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.