Multiple American security agencies have begun a probe into a serious breach allegedly by a Chinese hackers group into Joe Biden administration’s email accounts supplied by American software giant Microsoft, raising the alarm over sensitive information from those emails that may have fallen into foreign hands.
While the US Congress launched an investigation into recent cyber espionage campaigns allegedly linked to China that led to the successful breach of several government email accounts within the State and Commerce departments earlier this month, the US Department of Homeland Security (DHS) too tasked its Cyber Safety Review Board to go into the cloud security and examine the recent cyberattack that targeted government email accounts, the US-based Nextgov/FCW reported.
The DHS’s Cyber Safety Review Board, composed of 15 cybersecurity leaders across the public and private sectors, will probe how threat actors target cloud computing environments for malicious purposes. The review will also assess how Lapsus$, a hacking group reportedly linked to China, leveraged a vulnerability in Microsoft Exchange Online to access unclassified government emails in the cyberattack.
The cyberattack was described by a senior Cybersecurity and Infrastructure Security Agency (CISA) official as a “surgical campaign” targeting a “small number of mailboxes.” DHS Secretary Alejandro Mayorkas, on the other hand, described cloud security as “the backbone of some of our most critical systems” in a statement announcing the new review on August 11.
“Organizations of all kinds are increasingly reliant on cloud computing to deliver services to the American people, which makes it imperative that we understand the vulnerabilities of that technology,” Mayorkas said.
The Cyber Safety Review Board, which does not have regulatory authority, will aim to develop best practices that software providers and cloud users across sectors can employ to bolster network security.
US Congress Seeks Probe
The announcement comes after calls from Congress for federal investigations into the cyberattack, including from Democrat Senator Ron Wyden, who urged CISA and the attorney general to take action against Microsoft related to allegations of negligent cybersecurity practices he asserted in a letter last month. “Government emails were stolen because Microsoft committed another error,” Wyden wrote in his letter.
Wyden was happy over the DHS Cyber Safety Review Board announcing the investigation. “Had the Board studied the 2020 SolarWinds hack, as President Biden originally directed, its findings might have been able to shore up federal cybersecurity in time to stop hackers from exploiting a similar vulnerability in the most recent incident.
The government will only be able to protect federal systems against cyberattacks by getting to the bottom of what went wrong,” he said.
Wyden noted in his July letter that the Cyber Safety Review Board was established in response to the 2020 SolarWinds hack but never delivered on a probe of the breach, and Microsoft’s role in it, despite the lawmaker’s urging.
“I have repeatedly pushed CISA and DHS to direct the Board to study the SolarWinds incident but have been rebuffed. Had that review taken place, it is quite likely that Microsoft’s poor data security practices around encryption keys would have come to light, and this most recent incident might have been averted,” Wyden wrote.
Lapsus$ Investigations
The DHS Cyber Safety Review Board had on August 10 released its report on Lapsus$, which was found to have “leveraged simple techniques to evade industry-standard security tools” and avoid detection while accessing critical networks.
According to the report, cybercriminals like Lapsus$ used techniques like phishing employees and stealing cell phone numbers to gain access to proprietary data. The review featured ten actionable recommendations that government agencies, companies, and others can employ to bolster cyber defenses against Lapsus$ and other threat actors.
The report said standard multi-factor authentication techniques featured critical vulnerabilities that left major companies susceptible to cyber intrusions. “Lapsus$ and related threat actors are using basic techniques to gain an entry point into companies,” Rosa Smothers, a government relations executive at the security firm KnowBe4 and former CIA cyber threat analyst, was quoted by Nextgov/FCW.
“Their primary attack vectors – SIM swap attacks and phishing employees – can be easily addressed, especially for companies like Microsoft and Okta that are so well resourced.” The Board recommended organizations “immediately switch to more secure, easy-to-use, password-less solutions by design” and called on the government to develop a “secure authentication roadmap” that helps accelerate the adoption of password-less authentication.
CSRB Chair and DHS Under Secretary for Policy, Robert Silvers, said the review “uncovered deficiencies in how companies ensure their vendors’ security; how cell phone carriers protect their customers from SIM swapping; and how organizations authenticate users on their systems. “The board examined how a loosely organized group of hackers, some of them teenagers, were consistently able to break into the most well-defended companies in the world,” Silvers said.
US Congress Seeks Cyber Espionage Briefing After Microsoft Letter
The US Congress, Nextgov/FCW reported on August 2, launched an investigation into recent cyber espionage campaigns allegedly linked to China that successfully breached several government email accounts within the State and Commerce departments.
In separate letters to Commerce Secretary Gina Raimondo and Secretary of State Antony Blinken, Republican leaders of the House Committee on Oversight and Accountability requested briefings from both officials on the discovery, impact, and response to the intrusions.
On its part, Microsoft previously released a report that said a China-based cybercriminal gained access to an unspecified number of unclassified government email accounts through forged authentication tokens and a flaw in its cloud-computing environment that has since been patched.
The letters note that the breach began on May 15 “and operated in stealth for more than a month” before Microsoft began its investigation into the espionage campaign.
“China appears to be graduating from ‘smash and grab heists’ that used to be ‘noisy’ and ‘rudimentary’ to a level described by security experts as ‘among the most technically sophisticated and stealthy ever discovered,'” the letters said.
“The incident even raises the possibility that Chinese hackers may be able to access high-level computer networks and remain undetected for months if not years.”
State Department spokesperson Matthew Miller told reporters in July that the agency “took immediate steps to secure our systems” and notified Microsoft of the breach. However, he declined to specify the date the intrusion was detected. Miller also declined to indicate whether the breach was connected with Secretary Blinken’s recent trip to China.
The intrusions have been associated with a China-based actor known as Storm-0558. According to Microsoft, the cyberattack accessed email accounts at approximately 25 separate organizations through the company’s Outlook Web Access in Exchange Online and Outlook.com. “This type of espionage-motivated adversary seeks to abuse credentials and gain access to data residing in sensitive systems,” Microsoft said in an announcement about the hack.
The letters also note that the hack further underscores a warning about China included in the National Cybersecurity Strategy released earlier this year, which calls the country “the broadest, most active, and most persistent threat to both government and private sector networks.”
Senator Ron Wyden, separately, wrote to the heads of the Department of Justice, the Federal Trade Commission, and CISA on July 27 to request a probe into Microsoft’s cybersecurity practices that, he says, facilitated the espionage campaign.
“This is not the first espionage operation in which a foreign government hacked the emails of United States government agencies by stealing encryption keys and forging Microsoft credentials,” Wyden noted in his letter.
The lawmaker detailed multiple problems with the company’s methods of securing encryption keys and said, “that these flaws were not detected raises questions about what other serious cybersecurity defects these auditors also missed.”
CISA Outlines New Cybersecurity Strategic Plan
Earlier this month, Cybersecurity and Infrastructure Security Agency said it prioritizes addressing immediate threats, hardening digital terrain, and implementing security at scale, among nine other objectives outlined in its new Cybersecurity Strategic Plan.
Released on August 4, the plan marks CISA’s roadmap for the next three years as the agency works with the Biden administration to safeguard America’s digital networks from the increased onslaught of malicious cyber attacks.
“Now is the moment where our country has a choice: to invest in a future where collaboration is a default rather than an exception; where innovation in defense and resilience dramatically outpaces that of those seeking to do us harm; and where the burden of cybersecurity is allocated toward those who are most able to bear it,” the executive summary of the report reads. “Cyber incidents have caused too much harm to too many American organizations. Working together, we can change this course.”
The nine objectives underpinning the strategy and its three overarching goals include prioritizing coordinated threat disclosure, proactive vulnerability analyses, and implementing cybersecurity investments, among other tenants.
The plan will focus on outcome-based measures for institutions working to reduce their cybersecurity risk. Some of these metrics are centered around reducing incident response time, particularly for federal agencies and critical infrastructure partners.
Other metrics focus on strategic increases. In measuring the efficacy of agency collaborations, CISA is focused on analyzing the increases in the volume of relevant information, in addition to more specific actionable plans and post-incident reports. Notably, the strategy also focuses on implementing the federally-backed secure-by-design concept.
“As a society, we can no longer accept a model where every technology product is vulnerable the moment it is released and where the overwhelming burden for security lies with individual organizations and users,” the report reads. “Technology should be designed, developed, and tested to minimize the number of exploitable flaws before they are introduced to the market.”
In the absence of federal mandates and legislation, tech companies still operate under a voluntary and trust-based collaboration model. CISA “will strive to ensure that regulators and other government entities with compulsory authorities leverage technically sound and effective practices developed together with our partners across the private sector, ideally enabling harmonization across both US and global regulatory regimes.”
The report also notes that CISA will produce and regularly update criteria to develop and maintain secure-by-design products and ensure manufacturer cooperation.
Artificial intelligence software and quantum computing are highlighted as potentially risky technologies that threaten current cybersecurity protocol, particularly with the coming of an operational quantum computer.
CISA’s strategy to mitigate these emerging threats is to work with the developers of these nascent technologies and prepare digital systems through post-quantum cryptographic migrations.
- NC Bipindra is a 30-year veteran in journalism specializing in strategic affairs, geopolitics, aerospace, defense, and diplomacy. He has written extensively for the Times of India, New Indian Express, Press Trust of India, and Bloomberg News. He can be reached at ncbipindra (at) gmail.com
- Article Republished with Modifications
- Follow EurAsian Times on Google News
