Wiz CTO: Microsoft Cloud Breach Findings Raise ‘Many More Questions’
With Microsoft revealing that the timeline for the incident may stretch back to early 2021, there are now big questions about what the company’s evidence shows — or does not show — about what the China-linked threat actor was able to do during that time, Wiz’s Ami Luttwak tells CRN.
The latest findings from Microsoft about the high-profile cloud breach that impacted U.S. government email accounts raise “many more questions” that need to be addressed by the company about the potential activities of a China-linked hacking group blamed for the attack, Wiz CTO Ami Luttwak told CRN.
In particular, the new findings from Microsoft do not make clear what evidence the company truly has — or does not have — about the potential impacts of the attack, Luttwak said in an interview Wednesday.
[Related: Microsoft Cloud Breach: 5 Key Findings From Wiz]
The breach, which reportedly affected federal agencies including the State Department and Commerce Department, has drawn significant attention across industry and government. In late July, U.S. Sen. Ron Wyden requested a federal investigation to determine “whether lax security practices by Microsoft” led to the hack.
In a blog post Wednesday, Microsoft disclosed additional details from its investigation about what may have led to the breach. Without a doubt, it’s a “great step” that Microsoft has shared the findings, Luttwak told CRN.
“That’s very important in terms of transparency,” he said. For the most part, however, “It’s not conclusive evidence,” Luttwak said.
New Timeline
One new detail revealed by Microsoft in the post Wednesday is that the timeline for the incident most likely stretches back to April 2021 — more than two years earlier than previously believed.
Given that Microsoft had initially believed the incident began on May 15, the new timeline “raises a ton more questions” about whether the threat actor’s activities may have involved more than compromising the email accounts of 25 organizations, as Microsoft previously thought, according to Luttwak.
Additionally, Microsoft disclosed in the blog that it does not actually have logs going back to April 2021, due to its log retention policies — which suggests that the company itself may not know one way or the other what the full scope of the attacker’s activities were, Luttwak said.
“There is a huge difference from saying, ‘The attack started in May 2023 and only affected 20 email boxes,’ to saying, ‘[Our system] was actually compromised two years ago and we don’t know what happened since then,’” he said.
Broader Scope?
During the attack, an Azure Active Directory key stolen by the threat actor was misused to forge authentication tokens and access emails via Outlook Web Access and Outlook.com, Microsoft said previously.
However, the potential scope of the incident is not restricted only to Microsoft cloud email accounts, Luttwak noted. Wiz researchers disclosed in late July that the stolen Azure Active Directory key could be used to gain access to numerous other Microsoft services — including SharePoint, Teams and OneDrive — as well as third-party applications.
With the Azure AD key, “you can basically impersonate anyone on any service,” Luttwak told CRN. With the longer incident timeline and apparent lack of log evidence, “can we say clearly that this [key] wasn’t used in the last two years?”
Among the major unanswered questions at this stage, according to Luttwak: “What could have been the potential compromise? How many emails could have been read, or other services [accessed]?”
And ultimately, “are there definitive logs — actual proof — that this key was not used [in other ways] by the threat actor?” he said.
“This is a very advanced attacker. They were able to compromise the network, they were able to find a secret [key] that Microsoft was unable to find,” Luttwak said. “And so I assume this advanced attacker knows what they’re doing — and if they got access to [additional services], they would use it.”
Wiz, a $10 billion cloud security firm that Luttwak co-founded in 2020, has previously discovered numerous security issues impacting Microsoft cloud platforms including Azure.
Microsoft has attributed the breach to a hacking group believed to have been working on behalf of the Chinese government, which the company tracks under the identifier “Storm-0558.”
In response to a CRN inquiry asking about Luttwak’s comments, Microsoft said in a statement Wednesday that its investigations “have not detected any other use of this pattern by other actors and Microsoft has taken steps to block related abuse.”
The breach was discovered after a U.S. federal civilian agency “identified suspicious activity in their Microsoft 365 (M365) cloud environment,” and reported it to Microsoft, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in a post in July.
According to CISA, the data stolen in the attack was not classified, and the number of impacted accounts was minimal. “Microsoft determined that APT actors accessed and exfiltrated unclassified Exchange Online Outlook data from a small number of accounts,” CISA said in its post at the time.
More Questions
In its blog Wednesday, Microsoft also disclosed that a flaw caused the Azure Active Directory key used in the compromise to be improperly captured, and stored in a file, following a Windows system crash in April 2021. Another flaw led to the presence of the key not being detected, Microsoft said.
The file containing the key was then “subsequently moved from the isolated production network into our debugging environment on the internet connected corporate network,” the company said.
After that, the threat actor was able to access the file containing the key through compromising a corporate account belonging to a Microsoft engineer, according to the company.
“This account had access to the debugging environment containing the crash [file] which incorrectly contained the key,” Microsoft said in the post.
The attacker’s access to debugging environment raises further questions about the potential impacts of the incident, Luttwak told CRN.
“Can we know that this was limited only to the debugging environment?” he said. “The Microsoft network is very big.”
In its statement provided to CRN Wednesday, Microsoft said that “we have no indication to believe that Storm-0558 has continued access to any of Microsoft’s networks or environments.”