A U.S. review board tasked with investigating major cybersecurity incidents said it will begin looking at the recent intrusion of U.S. government email systems provided by Microsoft, whose handling of the incident drew ire and scrutiny from federal lawmakers and the wider security community.
The Cyber Security Review Board, or CSRB, said Friday that its latest investigation will include a “broader review of issues relating to cloud-based identity and authentication infrastructure.”
The board said it began considering an investigation after learning of the Microsoft cloud breach, which saw China state-backed hackers break into government email accounts, including the inbox of U.S. Commerce Secretary Gina Raimondo, several officials at the U.S. State Department, and other organizations not yet publicly named.
According to the slow-drip of information about the incident, Microsoft said China-backed hackers stole a sensitive signing key that allowed unauthorized access to enterprise and government email inboxes hosted by the technology giant. That stolen key, coupled with a flaw that Microsoft has since patched, allowed the forging of authentication tokens that the hackers used to access the target’s email accounts as if they were the rightful owners.
The intrusions began in mid-May but were not detected until a month later, when State Department officials detected the breach and notified Microsoft. It was only because the State Department used a higher-paid tier account that allowed access to logs that Microsoft keeps, which first revealed the hacks. Other departments with a lower paid tier were not given access to logs that may have spotted the intrusions sooner.
Following criticism, Microsoft capitulated soon after, saying it would make logs available for customers at no additional cost from September.
Ron Wyden, a Democratic lawmaker on the Senate Intelligence Committee, blasted Microsoft in a scathing letter to government agencies requesting an investigation into whether “lax cybersecurity practices” enabled Chinese hackers to spy on high-ranking federal government officials.
Wyden also called on the CSRB to investigate the incident.
In carrying out a post-mortem of the hack, Homeland Security secretary Alejandro Mayorkas said in remarks it was “imperative” to understand the vulnerabilities in cloud technologies that are relied on by U.S. organizations.
“Actionable recommendations from the CSRB will help all organizations better secure their data and further cyber resilience,” said Mayorkas.
This is the CSRB’s third investigation since it was founded by executive order in 2021 by President Biden. The board, which includes representatives from government and cybersecurity experts in the private sector, serves to review major cybersecurity events and identify recommendations to prevent future incidents.
The CSRB’s first investigation looked at the fallout from the Log4j vulnerability in 2020, and its second — published this week — examined recent attacks by the Lapsus$ hacking group,
