A review board, mandated by President Joe Biden, is expected to issue a scathing report detailing lapses by the tech giant Microsoft that led to a targeted Chinese hack last year of top U.S. government officials’ emails, including those of Commerce Secretary Gina Raimondo.

The Cyber Safety Review Board’s report, a copy of which was obtained by The Washington Post, takes aim at shoddy cybersecurity practices, lax corporate culture and a deliberate lack of transparency over what Microsoft knew about the origins of the breach. It is a blistering indictment of a tech titan whose cloud infrastructure is widely used by consumers and governments around the world.

The intrusion, which ransacked the Microsoft Exchange Online mailboxes of 22 organizations and more than 500 individuals around the world, was “preventable” and “should never have occurred,” the report concludes.

Perhaps most concerning, the board report makes clear, Microsoft still does not know how the Chinese carried out the attack.

In a statement to The Post, Microsoft said it appreciated the board’s work.

“Recent events have demonstrated a need to adopt a new culture of engineering security in our own networks,” a spokesperson for the firm said, noting that Microsoft had created a new initiative to do so. “While no organization is immune to cyberattack from well-resourced adversaries, we have mobilized our engineering teams to identify and mitigate legacy infrastructure, improve processes, and enforce security benchmarks. Our security engineers continue to harden all our systems against attack and implement even more robust sensors and logs to help us detect and repel the cyber-armies of our adversaries. We will also review the final report for additional recommendations.”

The report is the third and most significant review by the independent two-year-old board, which investigates such incidents so that government officials and the broader security community can better protect the nation’s digital networks and infrastructure. The board, made up of government and industry experts, is chaired by Robert Silvers, the Homeland Security Department’s undersecretary for policy.

U.S. intelligence agencies say the breach, discovered last June, was carried out on behalf of Beijing’s top spy service, the Ministry of State Security (MSS). The service runs a vast hacking operation that includes the group that carried out the intrusion campaign dubbed Operation Aurora, which was first publicly disclosed in 2010 by Google.

The 2023 Microsoft intrusions exploited security gaps in the company’s cloud, allowing MSS hackers to forge credentials that enabled them to siphon emails from Cabinet officials such as Raimondo, as well as Nicholas Burns, the U.S. ambassador to China, and other top State Department officials.

“Throughout this review, the board identified a series of Microsoft operational and strategic decisions that collectively points to a corporate culture that deprioritized both enterprise security investments and rigorous risk management,” it said.

In other words, the report says, the firm’s “security culture was inadequate and requires an overhaul.”

The U.S. government relies on Microsoft as one of its largest providers of software and cloud services — contracts worth billions of dollars a year.

One of the sharpest rebukes is reserved for the company’s public messaging around the case. Microsoft, the board found, for months did not correct inaccurate or misleading statements suggesting the breach was due to a “crash dump,” or leftover data contained in the wake of a system crash. In fact, the report notes, Microsoft remains unsure if this event led to the breach.

Microsoft amended its public security statements only on March 12 after repeated questioning by the board about plans to issue a correction and when it was clear the board was concluding its review.

The board faults “Microsoft’s decision not to correct in a timely manner its inaccurate public statements about this incident, including a corporate statement that Microsoft believed it had determined the likely root cause of the intrusion when in fact, it still has not,” according to the report.

Microsoft’s initial statement about the intrusion was made in July, noting that a China-based adversary had somehow obtained a “signing” key — or digital certificate — allowing the hackers to forge users’ credentials and steal Outlook emails.

In a Sept. 6 statement update, Microsoft suggested that the hackers obtained the key through its inadvertent inclusion in the crash dump, which was not detected by the firm’s security systems.

However, in November, Microsoft acknowledged to the board that the September blog post “was inaccurate,” the report stated.

“Left with the mistaken impression that Microsoft has conclusively identified the root cause of this incident, Microsoft’s customers did not have essential facts needed to make their own risk assessments about the security of Microsoft cloud environments in the wake of this intrusion,” the report said.

Microsoft updated the post a few weeks ago. In the update, the Microsoft Security Response Center admits that “we have not found a crash dump containing the impacted key material.”

After years of touting the strength of its cybersecurity, Microsoft — the world’s most valuable company — has been beset in recent years by embarrassing breaches. In early 2021, Chinese government-sponsored hackers compromised Microsoft Exchange email servers, putting at risk at least 30,000 public and private entities in the United States along with at least 200,000 worldwide.

In January, Microsoft detected an attack on its corporate email systems by the Russian foreign spy service, the SVR. The company said the spies broke into a testing unit, moving from there into emails of senior executives and security personnel. Microsoft alerted its customer Hewlett-Packard Enterprise that it had been hacked as part of that campaign, and U.S. officials told The Post last month that there were dozens of other victims, including Microsoft resellers.

Taken together, “these are indications things are quite broken,” said one person familiar with the board’s findings, who like others spoke on the condition of anonymity because the report was not yet public.

The State Department detected the breach in June and informed Microsoft, according to U.S. officials. The report notes that the agency was able to detect the intrusion in part because it had paid for a higher tier of service that included audit logs, which helped determine that the hackers had downloaded some 60,000 emails. The company is now providing U.S. agencies that service free after negotiations with federal officials.

The report details what it calls a “cascade of avoidable errors.” For instance, Microsoft had not noticed the presence of an old signing key from 2016 that should have been disabled but wasn’t. “That one just sat for years, kind of forgotten,” a second person said. Part of the problem was that Microsoft was supposed to switch from a manual key rotation to an automated system that minimized the chance of human error. But that switch never happened. “They never prioritized fixing the problem,” the first person said.

Another error was that the key worked on both business and consumer networks, violating standard protocol. “There were multiple points where just basic things would have made a difference,” the second person said.

A third error noted in the report was that Microsoft security teams did not realize that an engineer whose firm had been acquired in 2020 was working on a compromised laptop that in 2021 was allowed to access the corporate network. According to people familiar with the board’s findings, there’s no evidence that the engineer’s machine was the cause of the breach, though Microsoft suggested in its March update that a “compromised engineering account” is the “leading hypothesis” for how the breach occurred.

The root cause may never be known, the report indicates, but Microsoft did not do an adequate assessment of the acquired firm’s network security before allowing the engineer to plug in his laptop — a basic failure to follow standard cybersecurity practice.

Microsoft cooperated with the board’s investigation, the report notes.

The report caps years of growing frustration with Microsoft among lawmakers, government officials and industry experts. In 2020, Russian government hackers penetrated the network software company SolarWinds to target emails of U.S. government agency employees. One way they stole emails was by exploiting weaknesses in a Microsoft program that some companies use on their own email servers to authenticate employees. The SolarWinds breach affected at least nine federal agencies and 100 private-sector companies.

The following year, Microsoft President Brad Smith told Senate lawmakers that customers who want “the best security should move to the cloud” — the same cloud, or remote servers, that fell victim to the Chinese hack last year. Following that intrusion, Sen. Ron Wyden (D-Ore.) wrote to several government agencies asking that they hold Microsoft accountable for its pattern of lapses.

The 2023 breach could have been far broader. With the stolen key, the hackers “could have minted authentication tokens [credentials] for pretty much any online Microsoft account,” a third person familiar with the matter said. But they apparently opted to target particular people of interest, such as the commerce secretary, a congressman and State Department officials who handle China issues, the person said.

The report emphasizes that big cloud providers, such as Microsoft, Amazon and Google, are enormous targets and must do better for everyone’s sake: “The entire industry must come together to dramatically improve the identity and access infrastructure. … Global security relies upon it.”

It also makes recommendations that address practices such as handling signing keys and managing credentials.

One recommendation borrows from the company’s founder, Bill Gates, who in 2002 wrote an email to his staff emphasizing that security was a priority. “In the past,” Gates noted in his missive, “we’ve made our software and services more compelling for users by adding new features and functionality.” None of that matters unless customers can trust the software, he said. “So now, when we face a choice between adding features and resolving security issues, we need to choose security,” he wrote.

The panel recommended that Microsoft should heed Gates’s strategy and consider holding off on new features until it has fixed its security issues.

The panel’s independent nature means no government body — not the White House or the Department of Homeland Security, which houses the panel — can dictate the report’s findings or recommendations.

“It took the creation of something like this board to produce a credible and unbiased assessment of Microsoft’s behavior, which is a necessary step to accountability,” said Jason Kikta, former head of private sector partnerships at U.S. Cyber Command and now chief information security officer at the IT software firm Automox.

previous coverage

• US disrupted Chinese hacking operation that targeted routers

related stories

• Russian, North Korean hackers use AI to boost cyber operations