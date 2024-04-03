



Washington CNN —

Microsoft made a cascade of avoidable mistakes that allowed Chinese hackers to hack the tech giants' network and later the email accounts of top US officials last year, including the Commerce Secretary, revealed a scathing study of the incident backed by the US government.

The hack was preventable and should never have happened, according to a report released Tuesday by the U.S. Cyber ​​Safety Review Board (CSRB), a group of government and private cybersecurity experts led by the Department of Homeland Security. It was created by President Joe Biden in 2021 to study the root causes of major hacking incidents.

In particular, the review panel faulted Microsoft (MSFT) for failing to properly protect a sensitive cryptographic key that allowed hackers to remotely log into their targets' Outlook accounts by forging credentials.

Microsoft's security culture was inadequate and requires an overhaul in light of the company's centrality in the technology ecosystem, the report concludes.

The hack shook Washington and allowed Chinese agents to access the unclassified email accounts of top U.S. diplomats, including U.S. Ambassador to China Nicholas Burns, on the eve of a high-profile visit by the secretary of state Antony Blinken in China last June, CNN reported. .

The hackers downloaded about 60,000 emails from the State Department alone, department spokesman Matthew Miller said.

Hackers also hacked into Commerce Secretary Gina Raimondo's email account before her trip to China last August, Raimondo confirmed.

China has denied the hacking allegations.

Microsoft announced in November that it would strengthen its security practices to develop software and protect its users, following the alleged hacking incident in China and scrutiny of its security practices by U.S. lawmakers.

We appreciate the work of [Cyber Safety Review Board] to investigate the impact of well-resourced state threat actors that operate continuously and without meaningful deterrence, a Microsoft spokesperson said in a statement to CNN on Tuesday.

Microsoft mobilized our engineering teams to identify and mitigate existing infrastructure, improve processes and apply security benchmarks, the statement continued. Our security engineers continue to harden all of our systems against attacks and implement even more robust sensors and logging to help us detect and repel our adversaries' cyber armies.

Microsoft will review the board's recommendations, the spokesperson said.

Last summer's alleged hack was part of a series of cyberespionage campaigns linked to China and Russia that exploited widely used software created by companies like Microsoft to target U.S. national security interests . Russian hackers reportedly infiltrated software created by US company SolarWinds to steal emails from US government agencies in 2020.

The U.S. government has reached a decision point with its IT service providers: more of the same or better cybersecurity, said Cory Simpson, CEO of the Institute for Critical Infrastructure Technology, a think tank.

“I hope this CSRB report will be used as a call to action by the U.S. government for meaningful change in its long-standing relationship with Microsoft,” Simpson told CNN.

