Email security firm Mimecast has confirmed that a network intrusion earlier this year was conducted by the same “sophisticated” threat group that was behind the SolarWinds supply chain attack.
Mimecast’s networks were compromised in January after malicious actors gained access to its production grid environment.
A report released yesterday (March 16), produced by a third-party forensics team at Mandiant, has determined that the attack was conducted by the same actors who were responsible for the high-profile SolarWinds hack.
Deep dive
In a port-mortem of the attack, assailants believed to be from Russian hacking group APT29 were said to have exploited a backdoor in SolarWinds’ Orion software to gain access to the Mimecast production grid environment.
Following this, the threat actor then “accessed certain Mimecast-issued certificates and related customer server connection information”, the report details.
It reads: “The threat actor also accessed a subset of email addresses and other contact information, as well as encrypted and/or hashed and salted credentials.
“In addition, the threat actor accessed and downloaded a limited number of our source code repositories, but we found no evidence of any modifications to our source code nor do we believe there was any impact on our products.”
Mimecast said there is “no evidence” that the threat actor accessed email or archive content held on behalf of our customers.
‘Single digit’ victims
Mimecast said it was first notified of the incident by Microsoft, later employing Mandiant, a division of FireEye, to conduct a third-party investigation.
The report details the various phases of the analysis, as well as the steps taken by Mimecast to secure user data.
Mimecast said that a “low single digit” number of customers were impacted by the attack, as reported at the time of discovery.
The vendor advised all users to reset any server credentials in use on the Mimecast platform as a precaution.
Supply chain attack
In January, the SolarWinds supply chain attack saw threat actors exploit a backdoor vulnerability in the company’s Orion software, used for IT management and monitoring, to gain access to customers’ networks.
A number of high-profile organizations such as Microsoft and FireEye were impacted by the incident, as well as numerous US government agencies.
In February, security researchers at Trustwave discovered three new severe vulnerabilities in SolarWinds, with the most critical bug opening the door to remote code execution.
All three vulnerabilities were patched before public disclosure. The supply chain attack discovered in January has also been resolved.
