Microsoft downplays damaging report on Chinese hacking its own engineers vetted
Facing pressure in Washington to explain how hackers based in China infiltrated its systems in order to pilfer U.S. officials’ emails, Microsoft continues to dispute evidence that the breach may have been larger than initially described.
In a report published earlier this month, researchers at the security firm Wiz concluded that an encryption key stolen by Chinese hackers to target U.S. officials could have been used far more broadly. Microsoft has said the Chinese operation was a targeted and stealthy one and has disputed Wiz’s findings — despite the fact that Microsoft’s own engineers vetted the Wiz report.
In a statement to CyberScoop, a Microsoft spokesperson dismissed Wiz’s “blog” as “hypothetical attack scenarios” and that Microsoft has not “observed those outcomes in the wild.” An earlier statement described the Wiz report as “speculative” and “not-evidence based.”
But there should be little reason to doubt Wiz’s technical findings, according to the report’s author, Shir Tamari. In an interview with CyberScoop, Tamari said that he met with a Microsoft technical team to discuss his findings and that the firms engineers were very helpful in correcting his analysis. “Eventually they approved everything,” he said.
Independent experts who have reviewed the Wiz report consider it sound. “I think it’s unimpeachable,” said Jake Williams, a former National Security Agency hacker and a cybersecurity researcher.
The operation in question relied on a stolen encryption key that the attackers used to create forged authentication tokens, which allowed them to break into the email inboxes of U.S. Commerce Secretary Gina Raimondo and the U.S. ambassador to China, Nicholas Burns. Microsoft has revoked the key in question, but based on Wiz’s analysis, it could still be used to forge identification tokens in some scenarios without Microsoft knowing about it.
A spokesperson for Microsoft declined to answer detailed questions about the company’s role in contributing to the report and whether more than two weeks after first disclosing the incident the firm is any closer to understanding how the encryption key in question was stolen.
In many cases, application developers that rely on Microsoft’s identity services choose to cache their encryption keys locally. That means that even if Microsoft has revoked the key, some systems may continue to trust the revoked key that is cached locally. Systems like these remain vulnerable to attacks utilizing the stolen key and raise the possibility of an ongoing, far broader operation than what Microsoft has described, according to Wiz.
If the hackers who stole the key are in fact carrying out a broader campaign, it is impossible to say how many victims may be compromised. But the potential universe of vulnerable systems is huge. “We are talking about big numbers,” said Tamari.
And if a broader campaign is taking place, it’s not clear that Microsoft or the affected victims will be able to tell. “In the case of a compromised signing key, the threat actor can sign those keys offline,” Tamari said. “So they can do it on their own workstations, and just send them directly to the target application.”
With Microsoft refusing to provide additional details about the scope of a campaign that it has dubbed Storm-0558 and says was limited to targeting some two dozen organizations, lawmakers in Washington are growing increasingly frustrated with the company.
In a letter sent Thursday, Sen. Ron Wyden, D-Ore., accused Microsoft of being “negligent” in its cybersecurity practices and asked the Department of Justice to investigate whether Microsoft violated federal law in failing to follow recommended cybersecurity practices. Wyden asked the Cybersecurity and Infrastructure Security Agency to direct the Cyber Safety Review Board to examine the incident and to investigate why audits did not uncover failures in Microsoft’s security procedures. Wyden also asked the Federal Trade Commission to look into whether Microsoft may have engaged in unfair or deceptive business practices.
In a separate letter sent last week, a bipartisan group of 14 senators requested that the State Department’s chief information officer — whose cybersecurity workers first discovered the breach — offer additional information on how the intrusion occurred.
Detecting the Storm-0558 campaign required customers to have purchased a higher-tier, more expensive Microsoft security product that logged the type of data in which the operation showed up. That means many app developers who rely on Microsoft’s identity services in building applications will have no way of knowing whether their systems were targeted. And if developers rely on local certificate stores or cached keys, it’s not clear that Microsoft will be able to detect use of the stolen key in these instances either.
Microsoft has since said it will revise its policies around the availability of advanced logging, but it will likely be too late to detect this campaign. “I highly doubt the app developers have those logs and neither will Microsoft,” said Williams, the former NSA security researcher. “Even confirming the scope of the exploitation is just monumentally hard.”
Customers have flocked to Microsoft’s security offerings in recent years, and its security products now bring in $20 billion annually. But this incident may put a dent in the company’s bumper security business. Microsoft’s competitors are increasingly arguing that the federal government is a fool to rely too much on Microsoft for security, and this incident may end up providing fodder for their sales pitch.
“There will be a willing dance partner for any agency who wants to recompete or tear up a contract with Microsoft,” said Trey Herr, who directs the Atlantic Council’s Cyber Statecraft Initiative and previously worked at Microsoft as a security strategist. “The federal government is business too big to ignore.” Google, in particular, has made the argument for creating an “off ramp from being a single vendor cloud — pushing the rhetoric of ‘multi-cloud,’” Herr said.
But, Herr added, “Google being opportunist is not a solution to a security problem.”
