Microsoft Faces Mounting Scrutiny Over China-Linked Email Hack

Microsoft is attracting renewed scrutiny and accusations of negligent security over a hack that allowed China to spy on top Biden administration officials, as some security researchers say the breach may be worse than initially suspected.

The Chinese hack, disclosed earlier this month, compromised the unclassified Microsoft email inboxes of senior State Department officials, including the U.S. ambassador to China, as well as Commerce Secretary Gina Raimondo and others, according to U.S. officials.

Full details about the attack, including how it began, aren’t publicly known, but it has prompted a number of congressional inquiries. On Thursday a leading lawmaker on cybersecurity issues, Sen. Ron Wyden (D-Ore.), asked for three separate federal probes of Microsoft’s “negligent cybersecurity practices” that he said enabled a Chinese espionage campaign against the U.S. government. 

“Even with the limited details that have been made public so far, Microsoft bears significant responsibility for this new incident,” Wyden said in the letter, which is addressed to Attorney General Merrick Garland, Federal Trade Commission Chair Lina Khan and Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency.

Microsoft said the hackers obtained access to an obscure but critical part of its infrastructure called an MSA digital signing key, which was then used to gain access to customer data. The company has explained aspects of the hack in blog posts but said how it unfolded is currently unknown. The tech company also said it would make certain tools that can help spot cyberattacks free, after its tiered payment system for those services drew criticism following the hack.

A Microsoft spokesman said that the company is working with government agencies and is committed to sharing information about the hack. “This incident demonstrates the evolving challenges of cybersecurity in the face of sophisticated attacks,” he said.

“These signing keys are the most precious secret that you have,” said Ami Luttwak, co-founder of the cloud-security company Wiz, in an interview. “It’s like you have a printing machine to all of the passports in the world: You can become anyone that you want.”

Researchers at Wiz said that the digital key that was obtained had been issued in 2016 and wasn’t taken out of service until a few weeks after the attack was discovered. 

The Microsoft spokesman said the Wiz findings presented “hypothetical attack scenarios” that the company hasn’t observed.

MSA keys can be used to gain access to Microsoft’s consumer products, but because of a flaw in Microsoft’s cloud, the hackers were able to use the stolen key to access government and corporate accounts, according to Microsoft.

Security experts and Wyden questioned several Microsoft practices, including apparently allowing the same MSA key to be used for years.

“Federal cybersecurity guidelines, industry best practices, and Microsoft’s own recommendations to customers, dictate that encryption keys be refreshed more frequently, for the very reason that they might become compromised,” Wyden said.

Digital certificates also played a role in Russia’s SolarWinds hack, discovered in 2020. Wyden also faulted Microsoft for its role in that incident. 

Although experts praised Microsoft for providing some details about the Chinese hack, some have called for more disclosure, saying it is needed to determine the extent of the damage and whether it could happen again. 

“My concern here is that we don’t know how the key got away,” said Karim El-Melhaoui,

In his letter, reviewed by the Journal, Wyden asked the Justice Department to investigate whether Microsoft violated federal law relating to cybersecurity standards for government contractors. He also asked the FTC to investigate Microsoft’s privacy and data-security practices, including whether the alleged security lapses at issue in the hack began before the expiration in December of a 20-year consent decree the agency imposed following an earlier security incident. 

Finally, the senator asked the Cyber Safety Review Board to review the cyber-espionage campaign and why Microsoft’s apparent security shortfalls weren’t previously discovered by government audits.

“Holding Microsoft responsible for its negligence will require a whole-of-government effort,” Wyden said.

The letter is the latest effort by lawmakers and cybersecurity experts to gain a fuller understanding of the hack, allegedly state-sponsored. U.S. officials have sought to play it down as routine espionage between adversarial nations. 

Some cybersecurity specialists have deemed it an unusually powerful and impressive compromise of Microsoft’s cloud-based email infrastructure. A separate bipartisan letter signed by 14 senators, sent Wednesday and earlier reported by Newsweek, asked the State Department’s chief information officer for an unclassified briefing on the hack by early September.

Wiz believes that the hackers could have been able to steal data in addition to emails, such as Microsoft Teams chat messages and SharePoint documents.

The U.S. hasn’t formally linked the attack to China, though Microsoft attributed it to a Chinese hacking group and officials and lawmakers have said Beijing is responsible. China has denied the allegations. 

More than two dozen organizations globally were affected, Microsoft said. Fewer than 10 organizations were compromised in the U.S., with the hackers apparently accessing a small number of individual email accounts in each case, U.S. officials have said. They have described the attack as narrowly targeted at individuals whose communications were believed to possess high intelligence value.

Write to Dustin Volz at [email protected] and Robert McMillan at [email protected]