Microsoft has published a post-mortem detailing multiple errors that led to Chinese cyberspies hacking into US government emails, blaming the embarrassing incident on a crash dump stolen from a hacked engineer’s corporate account.
The crash dump, which dated back to April 2021, contained a Microsoft account (MSA) consumer key that was used to forge tokens to break into OWA and Outlook.com accounts.
“Our investigation found that a consumer signing system crash in April of 2021 resulted in a snapshot of the crashed process (“crash dump”). The crash dumps, which redact sensitive information, should not include the signing key. In this case, a race condition allowed the key to be present in the crash dump,” Microsoft explained.
The software giant said the race condition issue has since been corrected.
Redmond also acknowledged a failure of its internal systems to detect sensitive secrets leaking from crash dumps. “The key material’s presence in the crash dump was not detected by our systems (this issue has been corrected),” the company said.
The company said the 2021 crash dump with signing key was subsequently moved from the isolated production network into its debugging environment on the internet connected corporate network.
While this is consistent with Microsoft’s standard debugging processes, Microsoft fessed up to another error where its credential scanning methods did not detect the presence of the key.
“After April 2021, when the key was leaked to the corporate environment in the crash dump, the Storm-0558 actor was able to successfully compromise a Microsoft engineer’s corporate account. This account had access to the debugging environment containing the crash dump which incorrectly contained the key,” the company explained.
In a stunning twist, Microsoft said that due to log retention policies, it does not have logs with specific evidence of this exfiltration by this actor, noting that the post-mortem is based on “the most probable mechanism by which the actor acquired the key.”
Microsoft’s admission that it does not retain logs to spot this type of activity follows intense criticism of the M365 licensing structure that essentially charges extra for customers to access forensics data during active malware investigations.
Microsoft has since announced plans to expand logging defaults for lower-tier M365 customers and increase the duration of retention for threat-hunting data.
The compromise, which led to the theft of email from approximately 25 organizations, prompted a scathing letter from U.S. senator Ron Wyden calling on the government to hold Microsoft responsible for “negligent cybersecurity practices” that enabled “a successful Chinese espionage campaign against the United States government.”
Last month, the U.S. government said its Cyber Safety Review Board (CSRB) would conduct an investigation into the Microsoft cloud hack and expand to “issues relating to cloud-based identity and authentication infrastructure affecting applicable CSPs and their customers”.