Email management provider Mimecast has confirmed that a network intrusion used to spy on its customers was carried out by the same sophisticated hackers responsible for the SolarWinds supply chain attack.
The hackers, who US intelligence officials have said are likely of Russian descent, used a backdoor update to SolarWind’s Orion software to target a small number of Mimecast customers. Using the Sunburst malware that sneaked into the update, the attackers first gained access to part of the Mimecast production network environment. They were then given access to a Mimecast-issued certificate that some customers use to authenticate various Microsoft 365 Exchange web services.
Tap on Microsoft 365 connections
Working with Microsoft, which first discovered the breach and reported it to Mimecast, company researchers found that the threat actors then used the certificate to “connect to a low single-digit number of M365 tenants of our mutual customers from non-Mimecast IP address ranges.” .”
The hackers also gained access to email addresses, contact details and “encrypted and/or hashed and salted credentials”. A limited number of source code sources were also downloaded, but Mimecast said there is no evidence of changes or impact on company products. The company further said there is no evidence that the hackers gained access to email or archive content that Mimecast holds on behalf of its customers.
In a post published Tuesday, Mimecast officials wrote:
While the evidence showed that this certificate was only being used to target a small number of customers, we quickly put in place a plan to mitigate the potential risk to all customers using the certificate. We have made a new certificate connection available and advised these customers and relevant support partners, via email, in-app notifications and outbound calls, to take the precautionary step to migrate to the new connection. Our public blog post provided insight into this stage of the incident.
We’ve coordinated with Microsoft to confirm no further unauthorized use of the compromised Mimecast certificate and worked with our customers and partners to migrate to the new certificate connection. After a majority of our customers implemented the new certificate connection, Microsoft disabled the compromised certificate at our request.
The chosen ones
The attack on SolarWinds’ supply chain came to light in December. Attackers ran it by infecting the Austin, Texas-based company’s software building and distribution system and using it to release an update that was downloaded and installed by 18,000 SolarWinds customers.
Mimecast was one of a small number of those customers who received follow-up malware that allowed the attackers to dig deeper into infected networks to access specific content of interest. White House officials have said at least nine federal agencies and 100 private companies were hit in the attack, which went undetected for months.
Compromising certificates allows hackers to read and modify encrypted data as it travels across the Internet. For that to happen, a hacker must first be given the ability to check the connection in and out of a target’s network. Typically, certificate compromises require access to highly fortified storage devices that store private encryption keys. That access usually requires deep hacking or insider access.
To underline how surgical the attack on the supply chain was, Mimecast was among the small percentage of SolarWinds customers who experienced a follow-up attack. In turn, of the thousands of Mimecast customers who allegedly used the compromised certificate, fewer than 10 were targeted. Limiting the number of targets receiving follow-up malware and launching service attacks in the US were two of the ways the hackers kept their operation undetected.
When Mimecast first disclosed the compromised certificate in January, the similarities with parts of the SolarWinds attack generated speculation that the two events were related. Tuesday’s Mimecast post is the first formal confirmation of that connection.