Microsoft Forgoes Its Secure Future
Microsoft Forgoes Its Secure Future
For a brief time, Microsoft appeared to be making security a priority. As with all good things, though, it appears that period has come to an end with personnel changes at the organization signaling a shift in priorities. We fear Microsoft's goal now is not to make secure products, so much as to sell security products.
Last week, CEO Satya Nadella announced that Microsoft Executive Vice President of Security Charlie Bell had been replaced by Hayete Gallot, who was most recently president of customer experience at Google Cloud. Bell is stepping back from leading Microsoft's security organization to become an individual contributor engineer.
Now that Bell has gone, it appears the guise of "security first" has been tossed aside, and we fear the company may slip back into being a security disaster.
Bell has a great reputation and joined Microsoft to make a positive impact on its security. Despite this, a potted history of his tenure at Microsoft shows that the company itself prioritized security only when it was forced to by government pressure.
Bell joined Microsoft from Amazon Web Services to lead a new security organization in 2021. At the time of his hiring, we wrote that we had consistently, for months on end, shown "example after example of Microsoft security clangers."
Those rolling security debacles were a symptom of senior leadership prioritizing profit over security. At the time we predicted that Bell would struggle to make a difference. We were right. Not even an exceptional manager can change much if the CEO and executive team aren't interested.
A 2022 profile of Bell in The Information reported that Microsoft's old guard managers "pushed back on Bell’s suggestions for improving their responsiveness to security vulnerabilities, believing he was setting too high a bar for stopping attacks on its products." The company continued to pay lip service to security, although it did launch a lackluster security uplift program, the Secure Future Initiative, in late 2023.
Microsoft's devil-may-care approach to security came back to bite it after separate compromises by Chinese and then Russian state hackers were discovered. The security lapses that led to these breaches were, frankly, unbelievable.
In April 2024, a Cyber Safety Review Board (CSRB) report into the Chinese breach, which had compromised the email accounts of senior U.S. policymakers, found a "cascade of security failures."
It wasn't until this kick up the pants that Microsoft truly embraced security. The following month, Nadella told staff to prioritize security "above all else" and that "if you’re faced with the tradeoff between security and another priority, your answer is clear: Do security" (emphasis in original).
There was a short halcyon period where Bell was able to kick some goals.
But the Trump administration has since disbanded the CSRB and signaled that it is not interested in strong regulation. The pressure is off. Microsoft execs can grab a coffee and relax.
Which brings us back to the recent change in security leadership and, in particular, Nadella's messaging in his public announcement of Gallot's appointment. It sends strong warning bells that security at Microsoft is falling by the wayside.
Nadella had an opportunity to highlight Gallot's work experience in security roles. Instead, he focused on her "critical roles in building two of our biggest franchises" and "leading our … go-to-market efforts."
Much of Nadella's announcement was about selling more security products. He said that the company has "great momentum in security, including … strong Purview adoption and continued customer growth."
Entirely missing was any language about the importance of actual security to the company or a call for people to get behind the critically important security work that Gallot will lead. If it talks like a sales target and walks like a sales target, it ain't security. It's a recipe for security sales.
Sad panda.
Imitation Is the Sincerest Form of Sabotage
Leaked documents suggest that China is actively developing capabilities to launch disruptive attacks on the power grids and transportation networks of neighboring countries. Nobody should necessarily be surprised, but governments should certainly be prepared.
The leaked documents were first reported on the NetAskari substack and then later by The Record. They come from the Chinese company Nanjing Saining Network Technologies, ironically known as Cyberpeace in English. The documents describe a training environment and cyber range created by the company known as "Expedition Cloud."
Expedition Cloud wasn't created solely for defensive purposes, however. One key function is to simulate the real network environment and vulnerabilities of "major adversaries" in Southeast Asia and the South China Sea. Additionally, the documents specify that the networks to be emulated are power generation and transportation networks. These are not intelligence targets, but instead disruption and sabotage marks.
This leak not only sheds light on China's intent but also speaks to the methodical preparation that its hackers engage in. The Expedition Cloud is exactly the sort of practice pitch that sophisticated teams would use. Here's where they develop the tools, techniques, and in-depth understanding of networks to maximize and precisely calibrate impact on a target's critical infrastructure.
This underscores the seriousness of the Chinese hacker group Volt Typhoon's presence within American critical infrastructure. Volt Typhoon was publicly revealed in 2023. Some of the Expedition Cloud documents date back to 2021. This timeline suggests Volt Typhoon is likely using a similar cyber range to develop and test plans in order to achieve specific disruptive effects on U.S. infrastructure.
There's a key message here for the governments in China's firing line. Chinese hackers are actively rehearsing their cyber disruption playbooks. What are you doing in response?
404: Iranian Air Defense Not Found
The Record has reported that a U.S. cyber operation disrupted Iranian air defense systems during last year's strikes on Iranian nuclear facilities. The report furthers our belief that while cyber operations won't win a war on their own, they will become a regular part of well-planned military operations.
The Record cited "several U.S. officials" who said the operation was part of the reason surface-to-air missiles were not launched when American warplanes entered Iranian air space. Precise details are scarce, but it appears a key military system or communication node connecting the nuclear sites at Fordo, Natanz, and Isfahan was somehow affected. This, in turn, degraded Iran's entire air defense system.
In other words, the operation didn't directly target air defense systems but instead acted on a key dependency that happened to be vulnerable.
This is consistent with something we've said a few times at Seriously Risky Business: disruptive cyber operations can help military action when lead times are long.
We now have three sterling examples of disruptive cyber operations being combined with conventional military action to increase the chances of achieving an overall objective.
Back in 2022, Russia's multipronged attack on Ukrainian telecommunications networks included the disruption of Viasat's KA-SAT network and an internet service provider in the early hours of its invasion of Ukraine. Russia did not achieve its overall military objective, but the cyber operations themselves successfully disrupted the targeted communications networks.
Then earlier this year a cyber operation reportedly disrupted Caracas's power grid during the U.S. raid that captured Venezuelan President Nicolás Maduro.
When Maduro was captured, the cyber blackout was desirable and contributed to mission success. It wasn't, however, a key plank on which the operation relied. The U.S. had conventional military options that could have achieved the same outcome, albeit perhaps with more collateral damage.
In each of these incidents, a long lead time has meant the cyber portion of an operation could be developed, planned, and tested. The cyber disruption was complementary to on-the-ground military action. But it was not decisive for the overall mission.
When it comes to the recent revelations about bombing Iran, disabling air defenses with a cyber operation sounds far more significant. Keep in mind, however, that it was just part of the mix. The U.S. has stealth technology and electronic warfare aircraft. Plus Israel had already taken out multiple Iranian air defense systems in the days leading up to the strike.
Regardless, our take remains the same. When militaries with capable cyber forces have time to do their homework, cyber operations will play an important role.
Three Reasons to Be Cheerful This Week:
- FTC reminds data brokers of law: The Federal Trade Commission has sent warning letters to 13 data brokers reminding them of their responsibility to not sell sensitive data about Americans to foreign adversaries. The Protecting Americans' Data from Foreign Adversaries Act forbids data brokers from selling sensitive data to any foreign adversary, including North Korea, China, Russia, and Iran.
- Russian military scrambling after Starlink cuts access: The allowlisting of Starlink terminals to only allow Ukrainian use of the service is having an impact and causing "chaos," at least according to some pro-war Russian military bloggers.
- Crime doesn't pay! Or to be more precise, data extortion ransomware doesn't pay. In its latest quarterly report, ransomware incident response firm Coveware says that very few victims are paying ransoms when their data is stolen. Coveware cites the Cl0p ransomware group's campaign stealing data held in the Oracle E-business suite. Despite this being Cl0p’s largest data theft campaign, Coveware is not aware that any victims have paid up.
Shorts
Russia's Expanding Sabotage Campaign
This week's Economist examined Russia's recent disruptive attacks on Poland's electricity grid. The piece says it is worrying because it's an escalation, and the technical evidence suggests that Russia's state security service, the FSB, was involved.
In a recent "Between Two Nerds," The Grugq and I discussed whether this attack was not a deliberate escalation but instead the result of internal bureaucratic incentives to hit key performance indicators. Even if the BTN hypothesis is correct, you'd be foolhardy to assume that there is nothing to worry about.
Risky Biz Talks
In our latest "Between Two Nerds" discussion, Tom Uren and The Grugq talk about why the world is destined to be perpetually insecure.
From Risky Bulletin:
Chinese cyber-spies breached all of Singapore's telecommunication companies: Singapore's cybersecurity agency says that a Chinese cyber espionage group has breached all of the country's four major telecom providers—M1, SIMBA Telecom, Singtel, and StarHub.
The Cyber Security Agency of Singapore attributed the attacks to a group tracked as UNC3886.
The breaches took place last year, and the agency spent 11 months with industry groups investigating and evicting the hackers from the compromised networks.
SmarterTools hacked via its own product: SmarterTools, the company behind the SmarterMail email server, was hacked via a vulnerability in its own product.
The incident took place at the end of last month, on Jan. 29.
The Warlock ransomware group breached 30 email servers running on the company's office network and inside a data center used for quality control testing.
SmarterTools COO Derek Curtis says the entry point was a virtual machine that was not updated, allowing the hackers to enter its network and then spread to the other servers.
Denmark recruits hackers for offensive cyber operations: Denmark's military intelligence service has launched a campaign to recruit cybersecurity specialists for offensive cyber operations.
The recruits will work "to compromise the opponents’ networks and obtain information for the benefit of Denmark’s security," the Forsvarets Efterretningstjeneste (Danish Defense Intelligence Service, or DDIS) said in a press release last week.
The new recruits will go through a five-month training course at the agency's hacker academy.
