Oregon Senator Ron Wyden demanded several inquiries into Microsoft Corporation (NASDAQ: MSFT) following an incident where email accounts of US officials were breached by hackers thought to be connected to China.
The demand came on Friday as part of a letter to Attorney General Merrick Garland and the leaders of the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Trade Commission (FTC).
Senator Wyden claimed that Microsoft holds a considerable part of the blame for the M365 cloud hack, which started with the theft of a Microsoft encryption key.
Microsoft said that the hack happened because of weaknesses in either its identity management software, Azure AD, or its Exchange Online email service. Microsoft’s team identified the hacker group, Storm-0558, based in China and believed to be working for the Chinese government, as the one exploiting these weaknesses starting in mid-May.
A customer alerted Microsoft about the hack, and Microsoft was able to kick out the hackers by mid-June. However, by that time, the hackers had already gotten into the accounts of 25 organizations.
The hacking of US officials’ emails happened just before the Secretary of State, Antony Blinken, went to China to meet President Xi Jinping. Among the hacked accounts were those of the Commerce Secretary Gina Raimondo and some State Department officials. A high-ranking official at the National Security Agency, Rob Joyce, described this incident as “China spying on us.”
Wyden criticized Microsoft about SolarWinds attack
Wyden also criticized Microsoft for its involvement in the 2020 SolarWinds attack. This attack was carried out by Russian hackers who broke into computer systems in the U.S. government and private businesses.
“Government emails were stolen because Microsoft committed another error,” said Wyden in his letter. “Microsoft should not have had a single skeleton key that, when inevitably stolen, could be used to forge access to different customers’ private communications.”
Senator Wyden asked the head of CISA, Jen Easterly, to get a group called the Cyber Safety Review Board to look into this incident. This group was set up by President Biden to look into cases of cyber attacks and make a public report about it.
When Microsoft first admitted to the hack and the theft of the key, it said that only their Outlook.com and Exchange Online services were affected. However, new research shows that the stolen key actually gave Chinese hackers access to more than just these two services.
The breach became an even bigger problem for Microsoft when customers said it couldn’t look into the issue because they didn’t have the more expensive E5/G5 license. After a lot of public criticism, Microsoft said it would improve the security features for customers who have the less expensive M365 licenses.
Shares of Microsoft rose 2.3 per cent to $338.37 on Friday on the NASDAQ exchange.