“A corporate culture that prioritized investments in corporate security, and risk management at odds with the level of trust customers place in the company” : the CSRB, a government committee attached to the United States Department of Homeland Security, did not mince its words. Less than two weeks ago, the advisory committee published its findings on the espionage campaign that targeted Microsoft on its Exchange Online email, targeting the mailboxes of senior US government officials.
An “avoidable” intrusion
Last summer, the mailboxes of 22 organizations and 500 individuals around the world were hacked. The CSRB added that the hacker group's intrusion was “avoidable”. A Microsoft spokesperson then assured that a “new safety engineering culture” was going to be adopted.
Advertisement
However, in the meantime, the Redmond firm has been the victim of new cyberattacks. At the start of the year, the Windows publisher indicated that the Nobelium hacker group, affiliated with Russia's foreign intelligence services, had infiltrated the email addresses of several of its leaders. They include Brad Smith, president and chief public affairs officer, and Amy Hood, chief financial officer.
Microsoft then admitted, in March, that these same hackers had also stolen “some source code repositories and internal company systems”. The American federal cybersecurity agency (CISA) confirmed last week that it was indeed Russian hackers, while issuing emergency directives to other federal agencies to better protect themselves.
Long detection and correction times
Most of the cyberattacks suffered by Microsoft have a common denominator: they take time to detect or remediate. The Nobelium group's intrusion, detected on January 12, actually began at the end of November. A previous hack of Microsoft Exchange, in August 2021, allowed hackers to have access to sensitive data from six ministries of Foreign Affairs and 8 companies specializing in energy. The sensitive information, of a diplomatic nature, was allegedly stolen over a period of three years, between 2017 and 2020.
In March 2023, cybersecurity company Tenable discovered a critical vulnerability in the Azure cloud, which could allow a hacker to access sensitive information. The flaw was reported to Microsoft, which decided to apply a first patch… 90 days later. “Developing a security update is a delicate balance between speed and quality, while ensuring maximum protection with minimal disruption”the IT giant then defended itself.
Advertisement
US government dependence criticized
Reliance on the U.S. government is also a cybersecurity vulnerability, according to some cybersecurity experts. Currently, most government agencies use Windows and Office, as do the Pentagon and the FBI. When the CSRB's findings were released earlier this month, few political or government officials declined to criticize Microsoft. Even though the report was commissioned by Joe Biden, who was committed to controlling the abuses of tech giants.
“The US government's dependence on Microsoft poses a serious threat to US national security, even dared Democratic Senator Ron Wyden. The government is stuck with the company’s products, despite multiple breaches of U.S. government systems by foreign hackers caused by the company’s negligence.” The American elected official announced last week that he was tabling a bill to set a 4-year deadline for the government to stop purchasing products like Microsoft Office, which do not integrate effectively with competing services.
Microsoft launches its roadmap
“We are committed to adapting to the evolving threat landscape and building industry-government partnerships to defend against these growing and sophisticated global threats.”explained Steve Faehl, chief technology officer for Microsoft's federal security business, in a written response to Wired media.
Last fall, the firm launched an initiative to improve its internal security, including automatically blocking certain abuses, searching for sensitive information in network traffic, or requesting new requirements when creating account accounts. business. Microsoft finally claims to have deployed “thousands of engineers” to improve its products, and meets with certain executives at least twice a week regarding the status of updates.
Selected for you