Security Experts:

Mimecast Says SolarWinds Hackers Stole Source Code

Email security company Mimecast on Tuesday said it completed its forensic investigation into the impact of the SolarWinds supply chain attack, and revealed that the threat actor managed to steal some source code.

Mimecast was one of the several cybersecurity companies to confirm being targeted by the hackers who breached the systems of IT management solutions provider SolarWinds.

After compromising SolarWinds systems, the attackers, which have been linked to Russia, used their access to deliver malicious updates for SolarWinds’ Orion monitoring product to roughly 18,000 customers. A few hundred of these customers, including government and private organizations, were further targeted.

One of these targets was Mimecast, which learned about the intrusion from Microsoft. The tech giant had noticed that a certificate used by Mimecast customers to authenticate certain products with Microsoft 365 services had been compromised.

The investigation, conducted with the aid of FireEye’s Mandiant incident response unit, revealed that the hackers gained access to part of Mimecast’s production environment using the SUNBURST malware delivered via malicious Orion product updates.

The threat actor then managed to move laterally within the compromised environment, gaining access to various types of systems and information.

The compromised certificate discovered by Microsoft was used by the attackers to connect to the Microsoft 365 tenants of a “low single-digit number” of customers.

In addition, the hackers obtained encrypted service account credentials created by customers in the US and UK. These credentials, which are used for connections between Mimecast tenants and on-premises and cloud services, do not appear to have been decrypted or misused.

“We have no evidence that the threat actor accessed email or archive content held by us on behalf of our customers,” Mimecast said in an incident report published on Tuesday.

However, the attackers did manage to gain access to a “subset” of email addresses and other contact information, as well as hashed and salted credentials. Impacted customers have been notified.

The investigation also showed that the attackers — similar to what they did in the case of other victims, including Microsoft — also accessed and downloaded “a limited number” of source code repositories.

“We believe that the source code downloaded by the threat actor was incomplete and would be insufficient to build and run any aspect of the Mimecast service. We found no evidence that the threat actor made any modifications to our source code nor do we believe that there was any impact on our products,” Mimecast said.

In response to the incident, the cybersecurity firm rotated all impacted encryption keys and certificates, stopped using the Orion product, changed all employee and system credentials, enhanced authentication security, completely replaced all hacked servers, and rolled out additional security monitoring systems.

Related: Microsoft Says Its Services Not Used as Entry Point by SolarWinds Hackers

Related: Everything You Need to Know About the SolarWinds Attack

Related: Many SolarWinds Customers Failed to Secure Systems Following Hack

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.