As Congress settles into August recess, investigations into a high-profile hack of government email accounts are just starting to heat up.
The House Oversight and Accountability Committee is now probing the breaches of unclassified Microsoft email accounts at the Commerce Department and State Department, respectively, by a China-linked group. In separate letters sent to Commerce Secretary Gina Raimondo and Secretary of State Anthony Blinken today, lawmakers request staff briefings on the breaches no later than Aug. 9.
The hackers were reportedly able to access the unclassified email of Raimondo herself, as well as high-level State Department officials.
The briefings were requested by House Oversight and Accountability Committee Chairman James Comer (R-Ky.); subcommittee on cybersecurity, information technology and government innovation Chairwoman Nancy Mace (R-S.C.); and subcommittee on national Security, the border, and foreign affairs Chairman Glenn Grothman (R-Wis.).
They want more information on “the discovery of, impact of, and response to the intrusion” at both Commerce and State.
“We are also concerned that this attack on federal agencies, including the email account of a senior U.S. government official such as yourself, reflects a new level of skill and sophistication from China’s hackers,” the lawmakers wrote in their letter to Raimondo.
“The incident even raises the possibility that Chinese hackers may be able to access high-level computer networks and remain undetected for months if not years,” they add.
The intrusions are reported to have begun on May 15 and lasted until June 16, when Microsoft began its investigation. A Cybersecurity and Infrastructure Security Agency official told reporters that one of the federal agencies detected unusual activities in its network logs and first notified Microsoft.
The hackers were able to exploit a flaw in Microsoft’s cloud computing environment. In its own advisory, Microsoft attributed the activity to a “China-based actor” known as Storm-0558. The company’s investigation found the hackers used a stolen Microsoft private encryption key to forge authentication tokens and gain access to user accounts.
The new House investigation comes after 14 senators sent State Department Chief Information Officer Kelly Fletcher a July 26 letter seeking more information on the intrusions.
In addition to asking for more details on the breach, the senators also want information on the steps State is taking to ensure future sophisticated attacks are mitigated.
They specifically ask how the intrusion will “shape” the agency’s potential $10 billion Evolve IT initiative. “How will you ensure a more robust, layered cybersecurity architecture that includes multiple cybersecurity vendors for unclassified email?” they wrote.
Meanwhile, Sen. Ron Wyden (D-Ore.) has separately called on multiple agencies to investigate what he called Microsoft’s “negligent” cybersecurity practices in connection with the breach.
“Even with the limited details that have been made public so far, Microsoft bears significant responsibility for this new incident,” Wyden wrote in a July 27 letter, pointing the finger at Microsoft’s reported use of an expired encryption token that acted as a “skeleton key” to forge access to multiple private accounts.
Wyden also connected recent incident to the use of stolen encryption keys and forged Microsoft credentials during the 2020 SolarWinds campaign.
“Holding Microsoft responsible for its negligence will require a whole-of-government effort,” Wyden wrote.
He specifically called on CISA Director Jen Easterly to have the Department of Homeland Security’s Cyber Safety Review Board review the recent incident, with a particular focus on Microsoft’s potential culpability.
And he called on the Justice Department to investigate whether Microsoft’s practices violated federal law in connection with DOJ’s Civil-Cyber Fraud Initiative.
Furthermore, Wyden called on the Federal Trade Commission to investigate whether Microsoft’s privacy and data security practices related to the email breach violated federal trade laws.
He specifically points to a consent decree that expired last December, but required Microsoft to “establish and maintain a comprehensive information security program in writing that is reasonably designed to protect the security, confidentiality and integrity of personal information collected from or about consumers” related to its single-sign on services.
“If Microsoft’s negligent cybersecurity practices predated the expiration of the consent decree, I also urge you to take all necessary steps to hold the company responsible for any violations of that order,” Wyden wrote.
A spokesman for Wyden said his office has yet to receive a response from any of the agencies in the letter.