A Democratic lawmaker is calling on federal agencies to hold Microsoft accountable for “negligent cybersecurity practices” that played part in a Chinese hacking campaign that targeted U.S. government email addresses.
Sen. Ron Wyden (D-Ore.) wrote a letter to the heads of the Department of Justice, Federal Trade Commission, and Cybersecurity and Infrastructure Security Agency (CISA) on Thursday imploring the agencies to investigate the incident that came to light earlier this month. CISA and the Federal Bureau of Investigation on July 12 published a joint advisory regarding unexpected events observed in Microsoft 365 audit logs.
In a July 14 blog, Microsoft explained a China-based threat actor with espionage objectives “used forged authentication tokens to access user email from approximately 25 organizations, including government agencies and related consumer accounts in the public cloud.” The company said it identified the issue in June and has since disrupted the malicious activities.
Among agencies reportedly affected by the breach included the State Department and Commerce Department.
Wyden called for investigations to focus on Microsoft’s privacy and security practices, which he said should have been scrutinized more closely following the 2020 SolarWinds hack that featured exploited Microsoft software. He faulted the Biden executive branch for not closer studying the SolarWinds breach as intended.
“Had that review taken place, it is quite likely that Microsoft’s poor data security practices around encryption keys would have come to light, and this most recent incident might have been averted,” Wyden wrote.
Microsoft “bears significant responsibility for this new incident,” he said.
“This incident demonstrates the evolving challenges of cybersecurity in the face of sophisticated attacks,” a Microsoft spokesperson said in an emailed statement. “We continue to work directly with government agencies on this issue and maintain our commitment to continue sharing information.”
No comments yet