Sen. Ron Wyden (D-OR) speaks during a news conference after the first Democratic luncheon meeting since COVID-19 restrictions went into effect on Capitol Hill in Washington, April 13, 2021.
Erin Scott | Reuters
Sen. Ron Wyden, D-Oregon, the chair of the powerful Senate Finance Committee, demanded on Thursday that the Justice Department and two civil regulators open separate probes into Microsoft’s “negligent cybersecurity practices” that led to a high-level, targeted hack targeting the highest echelons of President Joe Biden’s cabinet.
Chinese hackers accessed the Microsoft-powered email accounts of top China envoys, Commerce Secretary Gina Raimondo, and Secretary of State Antony Blinken. The intrusion, from May to June, occurred just ahead of a critical Sino-U.S. meeting.
Wyden sent the letter to Attorney General Merrick Garland, Federal Trade Commission chair Lina Khan, and Cybersecurity and Infrastructure Security Agency director Jen Easterly on Thursday.
Microsoft shares fell about 1% in Thursday morning trading.
“Government emails were stolen because Microsoft committed another error. Although the
stolen encryption key was for consumer accounts, ‘a validation error in Microsoft code’ allowed the hackers to also create fake tokens for Microsoft-hosted accounts for government agencies and other organizations, and thereby access those accounts,” Wyden wrote.
Wyden asked that the Justice Department examine whether Microsoft had violated federal law through its negligence; that CISA examine whether Microsoft violated best practices for securing the highly sensitive “skeleton key;” and that the Federal Trade Commission examine whether Microsoft violated federal privacy statutes.
Wyden’s directive to the FTC focused on privacy concerns, but the agency could also examine whether Microsoft’s dominance in the cloud computing market led to heightened risk through anti-competitive behavior. That allegation has been raised by rivals and cybersecurity operators, including Google.
“While Microsoft’s engineers should never have deployed systems that violated such basic cybersecurity principles, these obvious flaws should have been caught by Microsoft’s internal and external security audits,” Wyden said.
“This incident demonstrates the evolving challenges of cybersecurity in the face of sophisticated attacks,” a Microsoft spokesperson said. “We continue to work directly with government agencies on this issue, and maintain our commitment to continue sharing information at Microsoft Threat Intelligence blog.”
A spokesperson for the FTC confirmed the agency had received the letter but declined to comment further. CISA did not immediately respond to a request for comment.
Cybersecurity experts have expressed mounting concern over the intrusion, which impacted at least a dozen government organizations worldwide. Both the State Department and the Commerce Department were targeted by Chinese hackers.
The State Department’s cyber team informed Microsoft of the attack, and was only able to do so because it had engineered more granular reporting and logging. After the hack, Microsoft said it would stop charging for the sophisticated logging and offer it for free.
Wyden noted it wasn’t the first time that a foreign government had hacked government agencies by exploiting Microsoft vulnerabilities.
“The Russian hackers behind the 2020 SolarWinds hacking campaign used a similar technique,” Wyden noted. “Moreover, while Microsoft had known since 2017 that such keys could be quietly exfiltrated from customer servers running its software, it failed to warn its customers, including government agencies, about this risk.”
Both Microsoft and federal officials have disclosed relatively little about the hack, though Microsoft has disseminated additional information and made concessions to customers to mitigate the impact of the exploitation.
Read the letter below.