In a letter released yesterday 27 July, Senator Ron Wyden urged the FTC, CISA and DOJ to “hold Microsoft responsible for negligent cybersecurity practices” that “enabled” a successful Chinese hack against the US government.
The letter, addressed to the heads of each organisation, describes that the hack happened after the hackers stole an encryption key Microsoft itself had generated for Outlook’s identity service.
The stolen encryption key allowed hackers to “impersonate users and gain access to Microsoft-hosted consumer accounts”, despite multi-factor authentication efforts.
Microsoft itself has stated that the hack stayed undiscovered for around a month before they received complaints from users recording unusual email activity on their accounts.
Not only did these hackers gain access to consumer email accounts, but also accounts belonging to government agencies and organisations.
Ryden consolidates that this recent hack “is not the first espionage operation in which a foreign government hacked the emails of US government agencies by stealing encryption keys and forging Microsoft credentials.”
How well do you really know your competitors?
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
Back in 2020 the Russian led SolarWinds hacker group also targeted Microsoft accounts, using similar methods.
Ryden’s letter claims that Microsoft failed to warn its userbase about the possibility that encryption keys could be stolen despite knowing of the risk since 2017, moreover Ryden states that Microsoft “never took responsibility for its role in the SolarWinds hacking campaign.”
Instead, the letter details that Microsoft “blamed its customers for using the default logging settings” Microsoft itself had chosen.
The letter states that Microsoft should take more culpability for the recent hacks, reinforcing that Microsoft should have had more than one single skeleton key to accounts that “could be used to forge access” to private communications when stolen.
Secondly, the letter calls for Microsoft to store its encryption keys in a proper hardware security module (HSM) “whose sole function is to prevent the theft” of encryption keys.
Finally, the letter also recommends courses of actions for the CISA, FTC and DOJ to investigate Microsoft’s accountability in the hack.
These actions include an investigation into Microsoft’s data security practices and an examination by the Department of Justice into whether Microsoft’s possible negligence has broken US law.
According to GlobalData’s 2023 thematic intelligence report into cybersecurity, cyber risk is higher than ever, and global cybercrime is estimated to reach $10.5tn annually by 2025. As Big Tech continues to face mass layoffs and tighter budget scrutiny, cybersecurity will remain a priority.