Revelations that hackers in China used a Microsoft security flaw to execute a highly targeted, sophisticated operation targeting some two dozen entities, including the U.S. commerce secretary, have officials and researchers alike exasperated that the company’s products have once again been used to pull off an intelligence coup.
What’s worse, U.S. cybersecurity workers only discovered the operation this week thanks to a premium Microsoft logging service that costs customers extra and without which the attack likely could not be detected.
As the Biden administration pushes a so-called “secure by default” approach to cybersecurity as a part of the White House National Cybersecurity Strategy, the fact that Microsoft up-charges customers for security features — even to discover its own flaws — has some officials questioning the reliance on huge tech firms that play a central role in Washington’s broader computer security initiatives.
“Offering insecure products and then charging people premium features necessary to not get hacked is like selling a car and then charging extra for seatbelts and airbags,” Sen. Ron Wyden, D-Ore., said in a statement.
Over the course of a month — between May 15 and June 16 — Chinese hackers succeeded in penetrating the email inbox of Secretary of State Gina Raimondo and employees at the U.S. State Department just as Secretary of State Tony Blinken prepared for a critical trip to China.
It is unclear what the operation, which security officials describe as remarkably stealthy, netted the hackers, but two White House officials told CNN that they believe the breach offered Beijing insights about Blinken’s June visit to China. And while it is also unclear what the hackers obtained from Raimondo’s inbox, the commerce secretary has helped craft highly restrictive U.S. export controls cutting China off from advanced semiconductors. Raimondo is expected to soon travel to China.
To pull off the operation, the hackers appear to have obtained an encryption key used to create user tokens — the ephemeral digital access codes that allow users to come and go to a computing service in the cloud. How the hackers obtained that key represents a major mystery and a major security failure by the company.
In a technical blog post published Friday, Microsoft said that “the method by which the actor acquired the key is a matter of ongoing investigation” and that the company has “hardened key issuance systems since” the stolen key was issued. “Our active investigation indicates these hardening and isolation improvements disrupt the mechanisms we believe the actor could have used to acquire [Microsoft account (MSA) consumer] signing keys,” the blog post notes.
But the fact that such a key could be used at all to create fraudulent identities to access the email systems of senior U.S. officials has security researchers scratching their heads how Microsoft could build such an insecure system. Russian hackers used a similar vulnerability in a Microsoft system to penetrate thousands of systems as part of the Solar Winds hacking campaign.
The Russian campaign exploiting Solar Winds — known also as “Sunburst” — exploited an attack vector known as “Golden SAML” to create forged authentication objects, and while many of the technical details of the Chinese attack remain unclear, researchers are outraged that Microsoft systems would again be exploited in an attack relying on a method of forged authentication tools.
“If they haven’t torn all of that infrastructure down and made sure it’s built as tightly as possible after Sunburst then maybe they just really don’t care at all,” said Trey Herr, who directs the Atlantic Council’s Cyber Statecraft Initiative. “They’re selling products that are built on a critical service — it can’t be spaghetti code or rely on crazy assumptions poorly communicated to the customer.”
To be sure, security experts caution that stopping cyber operations by skilled, well-resourced hackers remains immensely difficult. When a nation-state is willing to dedicate time and resources to penetrating a computer system, defending against it is a staggering challenge. But the combination of a stealthy attack that could only be detected using a more expensive Microsoft product created a major headache for groups told they had been targeted by the operation.
After Microsoft informed a human rights group that they had been affected by the breach, the group turned to the cybersecurity firm Volexity, but Steven Adair, the company’s president, and his colleagues couldn’t find evidence of a breach. That’s because the organization in question had a less expensive E3 license level. Detecting the attack required upgrading to a more expensive E5 or G5 plan — something most civil society groups can’t afford.
“What if they hadn’t hit anybody with a G5 license?” Adair wondered aloud in an interview with CyberScoop. “When, if ever, would it have been noticed?”
That approach to security has many in the cybersecurity community deeply frustrated with Microsoft, whose products are growing increasingly ubiquitous.
“Microsoft is running a Black Friday sale,” said Juan Andres Guerrero-Saade, the senior director of SentinelLabs, the research division of the cybersecurity firm SentinelOne. “They’re lowering the security bar for everyone so that ‘standard’ can be sold as ‘premium’ and everyone that can’t afford it is on their own.”
The failure of a cloud-based service to stop a sophisticated attack presents a challenge to the Biden administration’s cybersecurity strategy, which notes that “cloud-based services enable better and more economical cybersecurity practices at scale.”
The transition to cloud-based services is supposed to deliver security benefits for the government — while providing lucrative contracts to the tech sector — but if operations such as the one disclosed this week can still be carried out against a firm like Microsoft, it is unclear whether the transition to cloud will deliver the expected security benefits.
Indeed, Microsoft’s failure to provide by default the necessary logging to detect the attack has resulted in rare criticism from officials at the National Security Council and the Cybersecurity and Infrastructure Security Agency, two entities that work closely with the company on a range of security issues.
“Every organization using a technology service like Microsoft 365 should have access to logging and other security data out of the box,” a senior CISA official told reporters this week, adding that the failure to provide robust security features by default “is not yielding the sort of security outcomes that we seek.”
In a statement about the operation, U.S. National Security Council Spokesperson Adam Hodge noted that “we continue to hold the procurement providers of the U.S. Government to a high security threshold.”
Under pressure from the government, Microsoft may be shifting its approach on which logging features are available under lower-tier licenses. A Microsoft spokesperson told CyberScoop that the company has “historically provided security logs to customers” with options on how they are stored. The company is “evaluating feedback,” remains “open to other models” and is “actively engaged with CISA and other agencies on this.”
Shortly before details of the operation were made public late Tuesday, Microsoft’s head of federal business, Rick Wagner, stepped down from his role. Details of his replacement, and who takes over his responsibilities in the interim, have yet to be announced.
Madison Alder and John Hewitt Jones contributed reporting to this article.