The state-sponsored SolarWinds hackers who infiltrated its network earlier this year downloaded source code from a small number of repositories, according to email security company Mimecast.
The attackers used the Sunburst backdoor, a malware distributed by SolarWinds hackers to roughly 18,000 SolarWinds customers via the compromised auto-update mechanism of the SolarWinds Orion IT monitoring platform, to gain access to Mimecast’s network.
Though we first heard about SolarWind’s attack on December 13th, it was on December 8th that leading cybersecurity firm APT announced that it had been hacked by a nation-state APT party.
Mimecast said at the time that hackers — suspected to be a cyber-espionage organisation operating on behalf of the Russian government — used a backdoor embedded in the Orion IT monitoring platform to gain a foothold and penetrate the company’s internal network.
The intruders took advantage of this access to steal a certificate that Mimecast issued to its customers in order for them to authenticate and link Mimecast products (such as Sync and Recover, Continuity Monitor, and IEP) to Microsoft 365 Exchange Web Services infrastructure.
The stolen certificate was used by attackers to gain access to Microsoft accounts, according to Mimecast, but the intrusions were limited to “a single-digit number” of customers.
However, Mimecast said in an updated statement released on Tuesday, March 16th, that hackers had gained access to new areas of its internal network.
“All compromised systems were Windows-based and peripheral to the core of our production customer infrastructure,” the company said.
Mimecast said it replaced all compromised servers “to eliminate the threat” and found no evidence that the threat actor accessed email or archive content that the company was storing on behalf of its customers on the impacted servers after an investigation.
However, they discovered during the follow-up investigation that the intruders were able to pin to thh Mimecast’s code hosting repositories, from where they were able to download certain sections of the company’s source code — similar to how they stole source code from Microsoft’s internal network.
Mimecast also claimed that, similar to the Microsoft incident, the intruders just stole a small portion of the code and not all of the company’s projects.
“We believe that the source code downloaded by the threat actor was incomplete and would be insufficient to build and run any aspect of the Mimecast service,” the company said today.
“We found no evidence that the threat actor made any modifications to our source code nor do we believe that there was any impact on our products,” it added.
The SolarWind hackers will soon get the taste of their own medicine as a senior officer said “In weeks, not months,” the Biden administration will respond to the SolarWind hackers, who used the U.S. technology company as a springboard to compromise a raft of U.S. government agencies.