Srsly Risky Biz: Microsoft's Forgoes Its Secure Future

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Amberleigh Jack. This week's edition is sponsored by Trail of Bits.

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

Srsly Risky Biz: Microsoft's Forgoes Its Secure Future

For a brief time, Microsoft appeared to be making security a priority. As with all good things, though, it appears that period has come to an end with personnel changes at the organisation signaling a shift in priorities. We fear Microsoft's goal now is not to make secure products, so much as to sell security products. 

Last week, CEO Satya Nadella announced that Microsoft's Executive Vice President of Security Charlie Bell had been replaced by Hayete Gallot, who was most recently President of customer experience at Google Cloud. Bell is stepping back from leading Microsoft's security organisation to become an individual contributor engineer. 

Now that Bell has gone, it appears the guise of "security first" has been tossed aside, and we fear the company may slip back into being a security disaster.

Bell has a great reputation and joined Microsoft to make a positive impact on its security. Despite this, a potted history of his tenure at Microsoft shows that the company itself only prioritised security when it was forced to by government pressure. 

Bell joined Microsoft from AWS to lead a new security organisation in 2021. At the time of his hiring we wrote that we had consistently, for months on end, shown "example after example of Microsoft security clangers". 

Those rolling security debacles were a symptom of senior leadership prioritising profit over security. At the time we predicted that Bell would struggle to make a difference. We were right. Not even an exceptional manager can change much if the CEO and executive team aren't interested.

A 2022 profile of Bell in The Information reported that Microsoft's old guard managers "pushed back on Bell’s suggestions for improving their responsiveness to security vulnerabilities, believing he was setting too high a bar for stopping attacks on its products". The company continued to pay lip service to security, although it did launch a lacklustre security uplift program, the Secure Future Initiative, in late 2023. 

Microsoft's devil-may-care approach to security came back to bite it after separate compromises by Chinese, and then Russian state hackers, were discovered. The security lapses that lead to these breaches were, frankly, unbelievable. 

In April 2024, a Cyber Safety Review Board (CSRB) report into the Chinese breach, which had compromised the email accounts of senior US policymakers, found a "cascade of security failures". 

It wasn't until this kick up the pants that Microsoft truly embraced security. The following month, CEO Satya Nadella told staff to prioritise security "above all else" and that "if you’re faced with the tradeoff between security and another priority, your answer is clear: Do security" [emphasis in original].

There was a short halcyon period where Bell was able to kick some goals. 

But the Trump administration has since disbanded the CSRB and signalled that it is not interested in strong regulation. The pressure is off. Microsoft execs can grab a coffee and relax.

Which brings us back to the recent change in security leadership and, in particular, Nadella's messaging in his public announcement of Gallot's appointment. It sends strong warning bells that security at Microsoft is falling by the wayside. 

Nadella had an opportunity to highlight Gallot's work experience in security roles. Instead, he focussed on her "critical roles in building two of our biggest franchises" and "leading our… go-to-market efforts". 

Much of Nadella's announcement was about selling more security products. He said that the company has, "great momentum in security, including… strong Purview adoption and continued customer growth". 

Entirely missing was any language about the importance of actual security to the company or a call for people to get behind the critically important security work that Gallot will lead. 

If it talks like a sales target and walks like a sales target, it ain't security. It's a recipe for security sales. 

Sad panda.

Imitation Is The Sincerest Form of Sabotage

Leaked documents suggest that China is actively developing capabilities to launch disruptive attacks on the power grids and transportation networks of neighbouring countries. Nobody should necessarily be surprised, but governments should certainly be prepared.

The leaked documents were first reported on the NetAskari substack and then later by The Record. They come from the Chinese company Nanjing Saining Network Technologies, ironically known as Cyberpeace in English. The documents describe a training environment and cyber range created by the company known as "Expedition Cloud". 

Expedition Cloud wasn't created solely for defensive purposes, however. One key function is to simulate the real network environment and vulnerabilities of "major adversaries" in Southeast Asia and the South China Sea. Additionally, the documents specify that the networks to be emulated are power generation and transportation networks. These are not intelligence targets, but instead disruption and sabotage marks. 

This leak not only sheds light on China's intent, it also speaks to the methodical preparation that its hackers engage in. The Expedition Cloud is exactly the sort of practice pitch that sophisticated teams would use. Here's where they develop the tools, techniques and in-depth understanding of networks to maximise and precisely calibrate impact on a target's critical infrastructure. 

This underscores the seriousness of the Chinese hacker group Volt Typhoon's presence within American critical infrastructure. Volt Typhoon was publicly revealed in 2023. Some of the Expedition Cloud documents date back to 2021. This timeline suggests Volt Typhoon is likely using a similar cyber range to develop and test plans in order to achieve specific disruptive effects on US infrastructure. 

There's a key message here for the governments in China's firing line. Chinese hackers are actively rehearsing their cyber disruption playbooks. What are you doing in response?

404: Iranian Air Defence Not Found

The Record has reported that a US cyber operation disrupted Iranian air defence systems during last year's strikes on Iranian nuclear facilities. The report furthers our belief that while cyber operations won't win a war on their own, they will become a regular part of well-planned military operations.

The Record cited "several US officials" who said the operation was part of the reason surface-to-air missiles were not launched when American warplanes entered Iranian airspace. Precise details are scarce, but it appears a key military system or communication node connecting the nuclear sites at Fordo, Natanz, and Isfahan was somehow affected. This, in turn, degraded Iran's entire air defence system.

In other words, the operation didn't directly target air defence systems, but instead a key dependency that happened to be vulnerable. 

This is consistent with something we've said a few times at Seriously Risky Business: disruptive cyber operations can help military action when lead times are long. 

We now have three sterling examples of disruptive cyber operations being combined with conventional military action to increase the chances of achieving an overall objective.

Back in 2022, Russia's multi-pronged attack on Ukrainian telecommunications networks included the disruption of Viasat's KA-SAT network and an ISP in the early hours of its invasion of Ukraine. Russia did not achieve its overall military objective, but the cyber operations themselves successfully disrupted the targeted communications networks. 

Then earlier this year a cyber operation reportedly disrupted Caracas's power grid during the US raid that captured Venezuelan President Nicolás Maduro. 

When Maduro was captured, the cyber blackout was desirable and contributed to mission success. It wasn't, however, a key plank upon which the operation relied. The US had conventional military options that could have achieved the same outcome, albeit perhaps with more collateral damage. 

In each of these incidents, a long lead time has meant the cyber portion of an operation could be developed, planned and tested. The cyber disruption was complementary to on-the-ground military action. But it was not decisive for the overall mission.

When it comes to the recent revelations about bombing Iran, disabling air defences with a cyber operation sounds far more significant. Keep in mind however, it was just part of the mix. The US has stealth technology and electronic warfare aircraft. Plus Israel had already taken out multiple Iranian air defence systems in the days leading up to the strike. 

Regardless, our take remains the same. When militaries with capable cyber forces have time to do their homework, cyber operations will play an important role.

Watch Amberleigh Jack and Tom Uren discuss this edition of the newsletter:

Three Reasons to Be Cheerful This Week:

1. FTC reminds data brokers of law: The US Federal Trade Commission has sent warning letters to 13 data brokers reminding them of their responsibility to not sell sensitive data about Americans to foreign adversaries. The Protecting Americans' Data from Foreign Adversaries Act forbids data brokers from selling sensitive data to any foreign adversary including North Korea, China, Russia or Iran. 
2. Russian military scrambling after Starlink cuts access: The allowlisting of Starlink terminals to only allow Ukrainian use of the service is having an impact and causing "chaos", at least according to some pro-war Russian military bloggers.  
3. Crime doesn't pay! Or to be more precise, data extortion ransomware doesn't pay. In its latest quarterly report, ransomware incident response firm Coveware says that very few victims are paying ransoms when their data is stolen. Coveware cites the Cl0p ransomware group's campaign stealing data held in the Oracle E-business suite. Despite this being Cl0ps largest data theft campaign, Coveware is not aware that any victims have paid up. 

Sponsor Section

In this Risky Business sponsored interview, Tom Uren talks to Trail of Bits CEO Dan Guido about how Trail of Bits is reworking its business processes to take advantage of AI. Dan talks about what it takes to make AI agents reliable and trustworthy and how that will give the company an edge by making its work both better and faster.

Shorts

Russia's Expanding Sabotage Campaign

This week's Economist examined Russia's recent disruptive attacks on Poland's electricity grid. The piece says it is worrying because it's an escalation, and the technical evidence suggests that Russia's state security service, the FSB, was involved.

In a recent Between Two Nerds, The Grugq and I discussed whether this attack was not a deliberate escalation but instead the result of internal bureaucratic incentives to hit key performance indicators. Even if the BTN hypothesis is correct, you'd be foolhardy to assume that there is nothing to worry about.

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq talk about why the world is destined to be perpetually insecure.

Or watch it on YouTube!

From Risky Bulletin:

Chinese cyber-spies breached all of Singapore's telcos: Singapore's cybersecurity agency says that a Chinese cyber-espionage group has breached all of the country's four major telecom providers—M1, SIMBA Telecom, Singtel, and StarHub.

The Cyber Security Agency of Singapore (CSA) attributed the attacks to a group tracked as UNC3886.

The breaches took place last year and the agency spent 11 months with industry groups investigating and evicting the hackers from the compromised networks.

[more on Risky Bulletin]

SmarterTools hacked via its own product: SmarterTools, the company behind the SmarterMail email server, was hacked via a vulnerability in its own product.

The incident took place at the end of last month, on January 29.

The Warlock ransomware group breached 30 email servers running on the company's office network and inside a data center used for quality control testing.

SmarterTools COO Derek Curtis says the entry point was a virtual machine that was not updated, allowing the hackers to enter its network and then spread to the other servers.

[more on Risky Bulletin]

Denmark recruits hackers for offensive cyber operations: Denmark's military intelligence service has launched a campaign to recruit cybersecurity specialists for offensive cyber operations.

The recruits will work "to compromise the opponents’ networks and obtain information for the benefit of Denmark’s security," the Forsvarets Efterretningstjeneste (Danish Defence Intelligence Service, or DDIS) said in a press release last week.

The new recruits will go through a five-month training course at the agency's hacker academy.

[more on Risky Bulletin]