In March 2024, the Cybersecurity Review Board published a report that examined a summer 2023 intrusion of Microsoft Exchange Online by suspected Chinese-linked attackers.  The campaign impacted the mailboxes of 22 organizations, and more than 500 individuals globally, to include prominent U.S. government officials with national security responsibilities that included the Commerce Secretary, a U.S. ambassador, and at least one U.S. congressional representative.  Per the report’s findings, dubbed “Storm-0558,” the attackers accessed the targeted accounts using authentication tokens that were signed by a key Microsoft had created in 2016.  What’s more, and perhaps more worrisome, this was not the first time Storm-0558 had conducted attack against a cloud provider being linked to the 2009 Operation Aurora campaign directed against more than two dozen companies in an attempt to steal trade secrets, and the 2011 RSA SecureID breach where these actors stole secret keys in order to generate SecureID tokens for further compromise activities.

In its review, the Cybersecurity Review Board found a “cascade of Microsoft’s avoidable errors” that enabled the attackers in their efforts.  Specifically, Storm-0558 actors had used a Microsoft signing key to issue their own tokens; and the 2016 Microsoft key worked when it was no longer supposed to be signing new tokens, allowing entry into enterprise email accounts.  Although Microsoft believed that Storm-0558 may have used an acquired MSA consumer token signing key to forge tokens to access Microsoft Exchange Online accounts, the Board felt that Microsoft still did not demonstrate how these actors obtained the 2016 MSA key to its satisfaction.  Ultimately, the Board concluded that Microsoft had made a series of “operational and strategic decisions” that suggested a culture that did not prioritize security and risk management.

Indeed, this sentiment was echoed by a whistleblower in June 2024 that indicated the company chose profit over security, especially at a time when the federal government looked to commit to investing in cloud computing.  Per the whistleblower, attempts to entreat the company to fix a serious flaw he found in the Microsoft product were ignored.  Such a response from the company proved worrisome as within months, U.S. officials confirmed that Russian state-sponsored threat actors had executed an attack against SolarWinds using that very vulnerability.  The breach gave accessto a large number of organizations including prominent government entities such as the National Nuclear Security Administration, the National Institute of Health, to name a couple.

There is nothing new about vulnerabilities when it comes to software, hardware, and firmware, so it is essential that companies demonstrate responsibility and accountability for their prompt disclosure and providing fixes.  And that’s what makes what Microsoft did (or in this case, what it failed to do) so dangerous.  Recent reporting indicates that the Pentagon is looking to increase its use of Microsoft offerings across the enterprise.  Per a draft memo obtained by a news outlet, the Pentagon has advocated that department components to upgrade Microsoft “E5 licenses.”  Therefore, it’s easy to see how such a lapse in security consciousness could create major problems down the road, a reality that has caused Congress to contact the Department of Defense to better understand the full nature of its embrace of Microsoft for its technology needs.

According to one source, as of the end of 2023, Microsoft cloud computing ranked second to Amazon with respect to market share.  Its growing footprint as well as its efforts in security large government contracts in the United States naturally make Microsoft cloud offerings a highly valuable target for hostile state and nonstate actors looking to exploit these targets for their advantage.  As evidenced from the examples already stated, China and Russia have been routinely linked to cloud computing compromise attempts, and a recent campaign was exposed of an unknown state actor targeting Russian cloud services.  Over the past year, the Department of Homeland Security has published advisories and alerts about Russian state actors adapting tactics to gain initial Cloud access, as well as recommendations for organizations to enhance their monitoring to detect state activity targeting cloud environments they may be using.  But interest in compromising cloud environments are not solely the purview of governments.  A 2024 cybersecurity vendor report found that cloud environment intrusions increased 75% from 2022 to 2023, and the majority of the activity that the company observed had been attributed to cybercriminals that looking to “compromise cloud workloads and use this knowledge to abuse features unique to the cloud for their own purpose.”  Unsurprisingly, cyber powers Iran and North Korea have also been linked to attacks looking to gain access into cloud environments, showing that other governments are thinking along the same lines.

This increased attention on cloud computing comes at a time when organizations are actively gravitating toward their offerings.  A 2022 study found that 63% of tech and business professionals used cloud services “heavily.”  The cloud market has grown exponentially increasing from USD $440 billion in 2022 to USD $500 billion in 2023, with some estimating it to surpass USD $1 trillion by 2028.  If these statistics are any guide, there is little doubt that cloud computing will continue to be turned to with some organizations even using multiple cloud providers for their needs.  That said, it is imperative that the companies deploying these technologies are held accountable for ensuring the confidentiality, integrity, and accessibility of their platforms for their customers.  Currently, turning a blind eye to vulnerabilities and failing to address them in a prompt manner is inexcusable, and risks having the government impose draconian regulations that could impact companies’ bottom lines and ability to compete globally.

When it comes to advanced technology, protection and security must carry the same weight as benefit and profitability.  Neglecting to do so risks incurring far-reaching breaches like SolarWinds or the recent Microsoft Exchange Online, and worse, whose damages might not be realized for some time after their detection.  Cyber accountability is not a responsibility reserved solely for nation state behavior.  It must start with the very companies that create the solutions and technologies used by both the public and private sectors.  As more organizations gravitate toward the cloud, providers should collaborate on setting baseline security practices, transparency vulnerability disclosure rules, and compliance measures for their industry. Otherwise, as with the recent Supreme Court’s overturning of the Chevron deference decision, Congress and the courts could be left to interpret and enforce statutes.  And judging from how Microsoft’s president was recently grilled by Congress over its cybersecurity failure, that may not portend well for private companies caught not acting responsibly.