A US government report has found “a cascade of errors” by tech giant Microsoft allowed state-backed Chinese hackers to break into email accounts of senior US officials last year.

The report by the US Cyber Safety Review Board — created in 2021 by an executive order from US President Joe Biden — found the incident was “preventable”, and blamed Microsoft for security breakdowns and a lack of transparency.

Hacking group Storm-0588, which is widely attributed to have links with the Chinese government, was able to infiltrate US government systems by compromising a Microsoft engineer's corporate account.

The report found this occurred due to "a series of Microsoft operational and strategic decisions that collectively pointed to a corporate culture that deprioritised enterprise security investments and rigorous risk management”.

The board said this was “at odds with the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations”.

The intrusion was first reported in July 2023, and the board’s review began in August of that year.

Their report claims Microsoft still does not know how the hackers got in, despite making public statements to the contrary.

In a statement, a Microsoft spokesperson told Information Age that “recent events have demonstrated a need to adopt a new culture of engineering security in our own networks”.

"While no organisation is immune to cyberattacks from well-resourced adversaries, we have mobilised our engineering teams to identify and mitigate legacy infrastructure, improve processes, and enforce security benchmarks,” they said.

“Our security engineers continue to harden all our systems against attack and implement even more robust sensors and logs to help us detect and repel the cyber-armies of our adversaries."

Recommendations for cloud security

The US Cyber Safety Review Board — made up of cyber security experts from the private sector and the US government — recommended that Microsoft, which “fully cooperated” with its review, “make fundamental, security-focused reforms across the company and its suite of products”.

The board said “Microsoft’s security culture was inadequate and requires an overhaul” given the company’s critical role in the global technology ecosystem.

The report has urged Microsoft to undergo cultural change, and to avoid adding new features to its cloud computing systems until “substantial security improvements have been made”.

More broadly, the report also urged all cloud service providers to constantly review their systems, maintain “a rigorous threat model” of potential exploits, implement digital identity standards, and improve how they notify and support victims (including governments).

The Storm-0588 hackers were found to have accessed emails from 22 organisations and more than 500 individuals during the 2023 Microsoft hack.

This included the emails of senior figures such as the US ambassador to China, as well as around 60,000 emails which were downloaded from the US State Department.

Dmitri Alperovitch, Acting Deputy Chair of the Cyber Safety Review Board, said, “Cloud service providers must urgently implement these recommendations to protect their customers against this and other persistent and pernicious threats from nation-state actors.”

Alejandro Mayorkas, the Secretary of the US Department of Homeland Security, said the security of cloud technologies had “never been more important”, as they are heavily relied on by individuals and organisations.

“Nation-state actors continue to grow more sophisticated in their ability to compromise cloud service systems,” he said.

The board also expressed concern about a January 2024 hack of email accounts belonging to some Microsoft executives and customers, which was attributed to state-backed Russian hackers.

Australia has previously blamed Chinese hackers for a number of cyber attacks, including developing exploits which could have targeted local organisations using Microsoft Exchange Server vulnerabilities.