Exclusive: Senators Want Details on China's Latest Hack of Microsoft email

Senators want answers from the State Department's IT chief about how hackers, said to be from China, broke into diplomats' Microsoft email accounts earlier this year, as officials were planning high stakes visits to Beijing for Secretary of State Anthony Blinken and other cabinet officials.

In a letter sent Wednesday to State Department Chief Information Officer Kelly Fletcher, and exclusively obtained by Newsweek, 14 senators of both parties are asking for details of the extent of the breach, and the timeline on which it was fixed.

Microsoft revealed on July 11 that hackers had "acquired" a master cryptographic key, which allowed them to impersonate almost any user of the company's cloud-based Outlook email and calendar services, meaning they could log on as that person and copy all their email traffic and calendar appointments.

The letter, originally drafted by Sen. Eric Schmitt, R-Mo., was signed by GOP colleagues including Rick Scott of Florida and Bill Hagerty of Tennessee; and by the Democratic Chairman of the Senate Foreign Relations Commitee Ben Cardin of Maryland and several of his colleagues including Tim Kaine of Virginia. It asks for a "closed, unclassified briefing" for members and staff by September 6.

The intrusion, which started mid-May and was discovered a month later, would have allowed Beijing to see into diplomats' planning for a succession of high stakes visits to China in June and July by U.S. cabinet members, including Blinken, Commerce Secretary Gina Raimondi and Treasury Secretary Janet Yellen, according to former officials.

The hack has led to questions about Microsoft's relationship with China and whether that creates risks for the U.S. government, which relies heavily on the Redmond, Wash.-based tech giant's services and products.

The senators' letter also asks Fletcher to explain how she plans to "ensure a more robust, layered cybersecurity architecture that includes multiple cybersecurity vendors for unclassified email," highlighting increasing concern in Congress about the growing dominance of a single software vendor, Microsoft, throughout the federal government.

Microsoft, which already provides by some estimates 85 percent of U.S. government IT operating systems and office software, is now making a play to sell cybersecurity tools as well, starting, as Newsweek's previous reporting has highlighted, with the Pentagon.

If the federal government uses Microsoft products for all its computer operating systems, office software and security tools, "you are putting all of your eggs into one basket, and a basket that clearly has got some holes in it," said Adam Meyers, senior vice president for intelligence at CrowdStrike, a cybersecurity company that competes with Microsoft in the security tools market.

This latest hack, which Microsoft says struck two dozen organizations in the U.S. and Europe, comes amid renewed questions about the security of the software produced by the tech giant, the second largest company in the world by market capitalization.

"We need to know a lot more about this attack than we do right now," said Ryan Kalember, executive vice president at cybersecurity company Proofpoint, which also competes with Microsoft in some of its business.

Microsoft said on July 11 that it had discovered the full extent of the intrusion and completely contained it, but independent security researchers last week suggested that the scope of the hackers' access might have been much wider than initially thought because of the power and reach of the cryptographic master key the hackers acquired.

The access tokens that can be forged with such a master key "are like passports in Microsoft world," admitting users and giving them rights in the system, said Kalember. Such tokens are important for usability, he explained, because they allowed users to log in once, and then use multiple services without having to log in anew each time.

But the apparently limitless reach of the tokens the hackers were able to forge underlined a serious problem with Microsoft's security architecture, he said.

"The key shouldn't work in every lock," Kalember said. "But with Microsoft it's all the same plumbing."

He said the sheer reach of the key, versions of which might have been available to Chinese businesses that partnered with Microsoft, highlighted the question of the company's rather cozy relationships in China.

"Microsoft does business in China," Kalember said. "They have all kinds of consumer developers and partners there, they have a Chinese subsidiary."

The Chinese hackers "might have got the key that way. We know that threat actors in China have previously abused" those kinds of relationships, he said.

The hack also underlined accusations that the company is boosting its $200 billion-plus annual revenue by charging extra for services that can be used to trace hackers in their system.

Those allegations date back to the Solar Winds hacking campaign of 2020, when Russian spies broke into dozens of federal departments and agencies. Many who had been victims of the hack were unable to discover where the hackers might have been or what they might have stolen because the event logs they needed were only available to premium customers paying Microsoft for a higher tier of service.

For more than two years Microsoft executives and U.S. officials said they were working on the issue, but no visible progress was made.

Then, on July 11, Rick Wagner, the president of Microsoft Federal, the subsidiary that sells to the U.S. government, suddenly left his job, and Microsoft revealed the Outlook hack, which was found by State Department personnel using Microsoft's premium service—prompting a slew of critical commentary on the logging issue.

"Charging people for premium features necessary to not get hacked is like selling a car and then charging extra for seatbelts and airbags," Sen. Ron Wyden, D-Ore., told news agencies.

A week later, Microsoft announced it would offer advanced logging capabilities for free to all its customers, inside and outside of government, starting in September.

The move is too little, too late for some critics. "We should not be celebrating Microsoft's decision—this was not an act of altruism," former White House cybersecurity official Roger Cressy told Newsweek. Cressey said it took two years of behind-the-scenes government pressure and a second disastrous hack, but "Microsoft finally saw the writing on the wall and was forced to do the right thing."

Congratulating the company, added Cressey, who occasionally consults for Microsoft competitors, "is the cybersecurity equivalent of a trophy for participation."

Shaun Waterman can be reached at s.waterman@newsweek.com. Follow him on Twitter @WatermanReports.