Senator Ron Wyden (D-Ore.) is urging the US Justice Department to pursue Microsoft for "negligent cybersecurity practices" that allowed Chinese espionage hackers to collect hundreds of thousands of emails from cloud users, including those of US Department of State and Commerce officials.
The letter was sent to the Department of Justice, the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Trade Commission (FTC) on Thursday, July 27.
Is Microsoft Covering Up Details of Major Security Breach?
So far, Microsoft's disclosures have avoided saying that the company's infrastructure was compromised. This includes the Azure Active Directory (AD), a supposedly secure part of Microsoft's cloud offerings that large organizations use to manage single logins and multifactor authentication.
In a report by Ars Technica, critics have said that the information Microsoft has released so far proves beyond a reasonable doubt that the successful attack was accomplished by exploiting flaws in code for Azure AD and other cloud products.
Both the software developer and cloud service provider suspected that vulnerabilities in their Azure AD or Exchange Online email service were to blame for the breach.
According to Microsoft's Threat Intelligence team, the Chinese government-affiliated hacker group Storm-0558 began exploiting their products on May 15. On June 16, after being alerted by a client, Microsoft researchers successfully drove out the intruders. However, 25 organizations' accounts had already been compromised by Storm-0558 at that point.
Microsoft has attempted to explain how the nation-state hackers traced the email accounts of some of the company's largest customers by using vague phrases like "issue," "error," and "flaw." Due to this vulnerability, attackers were able to get a defunct encryption key used by Microsoft Accounts to sign in users to Exchange.
The corporation had not updated the situation in the last 13 days when it indicated it did not know how Storm-0558 had gotten the key.
Microsoft said an in-depth analysis revealed that the attackers were able to successfully generate legitimate Azure AD login tokens by using the Microsoft Account, abbreviated as MSA, key. The MSA key was used to sign tokens for Azure AD, despite Microsoft's intent that it be used primarily for consumer accounts. According to Microsoft, a validation flaw in the company's code allowed for the forgery to occur.
Holding Microsoft Accountable
Wyden demanded that US Attorney General Merrick B. Garland, CISA Director Jen Easterly, and FTC Chair Lina Khan hold Microsoft responsible for the hack.
He said that Microsoft was covering up its part in the SolarWinds supply chain attack, which Russian hackers exploited to infect 18,000 users of the network management software made in Austin, Texas. Some of these clients were targeted in subsequent assaults that allowed hackers access to their networks. This group included nine government agencies and 100 organizations.
He equated the SolarWinds case's actions with those he said caused the current breach at the Departments of Commerce and State, among other major clients.