For the second time in six months, Microsoft has disclosed that spies affiliated with a foreign intelligence service breached the company’s systems, this time accessing the emails of senior company executives. And for the second time in as many months, officials in Washington along with security researchers and executives are arguing that the company simply isn’t doing enough to secure its systems.
“This is yet another wholly avoidable hack that was caused by Microsoft’s negligence,” Sen. Ron Wyden, D-Ore., said in a statement to CyberScoop.
Wyden is one of a growing number of Microsoft critics who argue that a series of breaches at the company raise questions about whether it is prioritizing and making sufficient investments in security. With Microsoft providing key computing infrastructure to the U.S. government, critics like Wyden argue that the company needs to be prodded to place security at the center of its work. “The U.S. government needs to reevaluate its dependence on Microsoft,” Wyden said.
The most recent breach involved the hacking group best known as Cozy Bear, which is believed to be a unit of Russia’s foreign intelligence service SVR. The group breached what Microsoft described as a “legacy non-production test tenant account” using a password spraying attack. Such an attack is among the most basic of ways to compromise a computing system and would typically be prevented by multi-factor authentication — the kind of simple security hygiene that companies like Microsoft have for years encouraged their users to adopt.
“It is inexcusable that Microsoft still hasn’t required multi-factor authentication, which is cybersecurity 101 and would have prevented this latest attack,” Wyden said.
In a statement, a spokesperson for Microsoft said that “the attack was not the result of a vulnerability in Microsoft products or services” and that “there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems.”
Eric Goldstein, CISA’s executive assistant director for cybersecurity, said in a statement to CyberScoop that the agency is “closely coordinating with Microsoft to gain additional insights into this incident and ensure necessary transparency so we can understand impacts from this compromise. As noted in Microsoft’s announcement, at this time we are not aware of impacts to Microsoft customer environments or products.”
Last year, Microsoft was at the center of another breach — this time featuring Chinese hackers — that also caused security experts and officials to question the company’s security practices. In that case, hackers linked to China stole a signing key that was used to break into the email accounts of senior U.S. officials, among them the secretary of commerce, ahead of key meetings between Chinese and U.S. officials.
This pattern of breaches has cybersecurity experts questioning why Microsoft keeps falling victim to these kinds of breaches.
“Microsoft has some really good security people. But these problems keep happening, and they don’t happen with nearly the same rate or severity at other companies’ corporate networks,” said Andrew Grotto, who served as a senior cybersecurity official in both the Obama and Trump administrations. “That these problems keep happening at a disproportionate level, speaks to some deeper problems with Microsoft when it comes to security.”
To be sure, preventing highly resourced hackers from breaking into a computer system represents a daunting task, and in many cases it is only a matter of time and resources before a committed, well-resourced attacker can find a way into a protected system. But in the incident disclosed Friday, Microsoft’s errors made the company an easy target.
“It sort of did the cyber equivalent of leaving the front door open,” Grotto said.
While the initial breach was puzzling enough to cybersecurity experts, it’s what happened next that is the real head-scratcher.
According to Microsoft’s account of the breach, it began with a breach of the test account — which, in theory, should be isolated from other corporate systems, let alone the emails of senior Microsoft executives that ended up being targeted. After breaching that test system, the attackers were somehow able to punch a hole into Microsoft’s corporate network.
This type of pivot is one that cybersecurity experts say should be hard to pull off under the best of circumstances. “If any other company in the world was to have that issue” then “they would be out of business,” said Adam Meyers, senior vice president of counter adversary operations at the cybersecurity firm CrowdStrike.
Microsoft’s account of the breach implies that the hackers made use of a poorly understood, neglected piece of infrastructure connected to other parts of its network in ways that the company’s engineers perhaps did not themselves comprehend. These poorly understood technologies may be a function of Microsoft’s age and attempts to make sure that its newer products are generally backwards compatible with its older offerings, said Trey Herr, who directs the Atlantic Council’s Cyber Statecraft Initiative.
Herr said the attack was particularly concerning from a security perspective because it targeted staffers in Microsoft’s cybersecurity and legal functions. Emails belonging to executives in these divisions may give the hackers insight into the company’s ongoing investigations of hacking groups such as Cozy Bear.
By understanding what Microsoft knows of Cozy Bear’s activities — and how the company knows it — the Russian hackers may be in a better position to evade the company’s investigators in the future. “There may be some significant tradecraft involved in those investigations,” Herr said. And by understanding Microsoft’s tradecraft, Cozy Bear may use the knowledge they have gleaned from the breach to inform their future operations.
By targeting the company’s cybersecurity and legal staffers, the hackers could also have gained insight into unpatched vulnerabilities that Microsoft’s staffers are working to resolve but have not yet released patches for, Herr added.
For Microsoft, the breach is especially embarrassing because it comes two months after the company rolled out what it calls its “Secure Future Initiative,” a series of policy changes aimed at improving the company’s security posture in the face of what the firm described as increasingly sophisticated and well-resourced cyberattacks.
In its statement about the Friday breach, the company said it is continuing to shift “the balance we need to strike between security and business risk.”
“We will act immediately to apply our current security standards to Microsoft-owned legacy systems and internal business processes, even when these changes might cause disruption to existing business processes,” the company added. “This will likely cause some level of disruption while we adapt to this new reality, but this is a necessary step, and only the first of several we will be taking to embrace this philosophy.”
AJ Vicens contributed to this article.