Mimecast says SolarWinds hackers breached its network and spied on customers
Email-management provider Mimecast has confirmed that a network intrusion used to spy on its customers was conducted by the same advanced hackers responsible for the SolarWinds supply chain attack.
The hackers, which US intelligence agencies have said likely have Russian origins, used a backdoored update for SolarWinds Orion software to target a small number of Mimecast customers. Exploiting the Sunburst malware sneaked into the update, the attackers first gained access to part of the Mimecast production-grid environment. They then accessed a Mimecast-issued certificate that some customers use to authenticate various Microsoft 365 Exchange web services.
Tapping Microsoft 365 connections
Working with Microsoft, which first discovered the breach and reported it to Mimecast, company investigators found that the threat actors then used the certificate to “connect to a low single-digit number of our mutual customers’ M365 tenants from non-Mimecast IP address ranges.”
The hackers also accessed email addresses, contact information, and “encrypted and/or hashed and salted credentials.” A limited number of source code repositories were also downloaded, but Mimecast said there’s no evidence of modifications or impact on company products. The company went on to say that there is no evidence that the hackers accessed email or archive content Mimecast holds on behalf of its customers.
In a post published Tuesday, Mimecast officials wrote:
While the evidence showed that this certificate was used to target only the small number of customers, we quickly formulated a plan to mitigate potential risk for all customers who used the certificate. We made a new certificate connection available and advised these customers and relevant supporting partners, via email, in-app notifications, and outbound calls, to take the precautionary step of switching to the new connection. Our public blog post provided visibility surrounding this stage of the incident.
We coordinated with Microsoft to confirm that there was no further unauthorized use of the compromised Mimecast certificate and worked with our customers and partners to migrate to the new certificate connection. Once a majority of our customers had implemented the new certificate connection, Microsoft disabled the compromised certificate at our request.
The chosen few
The SolarWinds supply chain attack came to light in December. Attackers carried it out by infecting the Austin, Texas company’s software build and distribution system and using it to push out an update that was downloaded and installed by 18,000 SolarWinds customers.
Mimecast was one of a small number of those customers who received follow-on malware that allowed the attackers to burrow deeper into infected networks to access specific content of interest. White House officials have said that at least nine federal agencies and 100 private companies were hit in the attack, which went undetected for months.
Certificate compromises allow hackers to read and modify encrypted data as it travels over the Internet. For that to happen, a hacker must first gain the ability to monitor the connection going into and out of a target’s network. Typically, certificate compromises require access to highly fortified storage devices that store private encryption keys. That access usually requires deep-level hacking or insider access.
Underscoring how surgical the supply-chain attack was, Mimecast was among the small percentage of SolarWinds customers who received a follow-on attack. In turn, of the several thousand Mimecast customers believed to have used the compromised certificate, fewer than 10 were actually targeted. Limiting the number of targets receiving follow-on malware and launching the attacks from services located in the US were two of the ways the hackers kept their operation from being discovered.
When Mimecast first disclosed the certificate compromise in January, the similarities with parts of the SolarWinds attack generated speculation the two events were connected. Tuesday’s Mimecast post is the first formal confirmation of that connection.