Microsoft improves government account safety after China hack
Add Axios as your preferred source to
see more of our stories on Google.
Photo: Ying Tang/NurPhoto via Getty Images
Microsoft has made key improvements to an identity verification tool that Chinese hackers exploited last summer to hack government email accounts.
Why it matters: The changes will help keep malicious hackers from replicating last summer's hack, which exposed emails tied to officials at the State Department and even Commerce Secretary Gina Raimondo.
Driving the news: Microsoft shared the update in a progress report released Monday detailing ongoing work for its Secure Future Initiative.
Zoom in: U.S. government and public sector cloud accounts will now automatically generate, store and rotate token signing keys, Charlie Bell, Microsoft's executive vice president of security, wrote in a blog post.
- Signing keys are also now stored in a customer's so-called "hardware secure module," making it virtually impossible for user accounts to access.
- The company also changed the lifespan of the access tokens given to internal employees to seven days — so even if a hacker somehow broke into an employees' account, they still wouldn't be able to break into the corresponding customers' account.
- Microsoft also removed about 730,000 unused apps across accounts and eliminated 5.75 million inactive tenants. Hackers have been known to find login credentials for third-party apps and break into companies that way.
Flashback: Last summer, Chinese hackers obtained a signing key for a Microsoft cloud account that allowed them to infiltrate government customers' email accounts.
What they're saying: "No human can either touch or take these signing keys" after these new changes, Joy Chik, president of identity and network access at Microsoft, told Axios.
- "It's automatically rotated by software, so there's no human intervention," Chik added.
- That means these signing keys are no longer vulnerable even if a user forgets to schedule a software update or make other changes.
The big picture: This is just one part of Microsoft's far-reaching security overhaul.
- The tech giant also created a new internal cybersecurity governance council — led by Microsoft CISO Igor Tsyganskiy and made up of each deputy CISO — that would oversee the company's cyber risk and compliance profile.
- Security performance is now officially linked to senior leadership's compensation and included in all employees' performance reviews.
- And Microsoft shared Monday it has launched a Security Skilling Academy, an internal training tool for all of its employees.
Catch up quick: Microsoft started the Secure Future Initiative in November after a series of nation-state cyberattacks involving the company's technology.
- The company expanded this project in May after discovering in January that Russia had also successfully hacked its own senior leadership's emails.
