Microsoft said on Friday that Chinese hackers misused one of its digital keys and used a loophole in the company’s code to steal email from US government agencies and other customers.
The company said in a blog post that the hackers were able to use that key — which they acquired under undisclosed circumstances — and took advantage of “a validation error in Microsoft code” to carry out their cyberespionage campaign.
The blog provided the most detailed explanation yet for the hack that rocked both the cyber security industry and Sino-US relations. Beijing has denied any involvement in the espionage.
Microsoft and US officials said Wednesday night that hackers linked to the Chinese state have been secretly accessing the email accounts of about 25 organizations since May. US officials said these included at least two government agencies: the State and Commerce Departments.
Secretary of State Antony Blinken told Wang Yi, China’s top diplomat, at a meeting in Jakarta on Thursday that any action targeting the US government, US companies or US citizens “is of deep concern to us, and we will take appropriate action”. ” Hold those responsible accountable, according to a senior State Department official.
Microsoft’s blog post did not explain how the hackers got their hands on one of the company’s digital keys, leading some experts to speculate that Microsoft itself was hacked before the theft.
The company did not immediately respond to questions about the key.
The breach has put Microsoft’s security practices under scrutiny, with officials and lawmakers calling on the Redmond, Washington-based company to make its top-level digital auditing, also known as logging, available for free to all of its customers. asked for.
Microsoft said in a statement late Thursday that it was taking the criticism seriously.
“We are evaluating the feedback and are open to other models,” the company said. The company said it is “actively engaged” with the US authorities on the matter.
© Thomson Reuters 2023