US senator accuses Microsoft of negligence over Azure breach

Senator Wyden also says Microsoft never took responsibility for its part in the SolarWinds hack

US senator accuses Microsoft of negligence over Azure breach

In a strongly worded letter to the directors of the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Trade Commission (FTC), and the US Attorney General on Thursday, Democratic party senator Ron Wyden accused Microsoft of "negligent cybersecurity practices."

His comments were in relation to the recent breach of Azure cloud services, which allowed Chinese hackers to monitor email accounts at 25 organisations worldwide, including government agencies in the US and Western Europe.

He also accused Microsoft of failing to take responsibility for its role in previous incidents, including the 2020 SolarWinds hack.

On the 11th July, Microsoft said a state-backed threat group covertly accessed email accounts at government agencies in the US and Western Europe. The company attributed the attacks to Storm-0558, a threat actor believed to be based in China, saying that it used a consumer signing key, enabling to forge authentication tokens and access customer email accounts via Outlook Web Access (OWA) in Exchange Online and Outlook.com.

Microsoft was at fault for using a single encryption key for multiple Azure services, allowing hackers to forge access credentials once they had stolen the key, Wyden said in the letter, adding that Microsoft made an additional error that allowed the threat actors to steal government emails.

"Although the stolen encryption key was for consumer accounts, 'a validation error in Microsoft code' allowed the hackers to also create fake tokens for Microsoft-hosted accounts for government agencies and other organisations, and thereby access those accounts."

Wyden claimed that the stolen encryption key was created in 2016 with an expiry date of 2021.

"Federal cybersecurity guidelines, industry best practices, and Microsoft's own recommendations to customers, dictate that encryption keys be refreshed more frequently, for the very reason that they might become compromised," he wrote. "And authentication tokens signed by an expired key should never have been accepted as valid."

The 2020 SolarWinds attack by Russian operatives targeted users of Microsoft's on-premises identity management software. Microsoft failed to warn administrators that their encryption keys had been removed, Wyden said.

"Microsoft never took responsibility for its role in the SolarWinds hacking campaign. It blamed federal agencies for not pushing it to prioritise defending against the encryption key theft technique used by Russia, which Microsoft had known about since 2017. It blamed its customers for using the default logging settings chosen by Microsoft, and then blamed them for not storing the high-value encryption keys in a hardware vault."

Wyden said he had pushed CISA and the US Department of Homeland Security to investigate the SolarWinds hack more thoroughly, but was rebuffed.

The letter concludes with a request for CISA chair Jen Easterly to direct the Cyber Safety Review Board to investigate the incident, including Microsoft's key storage practices. It urges Attorny General Merrick Garland to examine whether Microsoft's "negligent practices" violated federal law, and asks FTC chair Lina Khan to investigate Microsoft's for "unfair and deceptive business practices" concerning its security practices.

In a statement, a Microsoft spokesperson said the latest breach "demonstrates the evolving challenges of cybersecurity in the face of sophisticated attacks."

"We continue to work directly with government agencies on this issue, and maintain our commitment to continue sharing information at Microsoft Threat Intelligence blog."