3rd Party Risk Management , Application Security , Cybercrime

SolarWinds Attackers Accessed US Attorneys' Office Emails

DOJ: Russian-Linked Group Breached Office 365 Accounts in 27 Offices
SolarWinds Attackers Accessed US Attorneys' Office Emails
Photo: Salticidae via Flickr/CC

The Russian-linked group that targeted SolarWinds using a supply chain attack compromised at least one email account at 27 U.S. attorneys' offices in 15 states and Washington, D.C., throughout 2020, according to an update posted Friday by the Justice Department.

See Also: How to Build Your Cyber Recovery Playbook

These various intrusions at federal prosecutors' offices, which took place between May 7 and Dec. 27, 2020, targeted the Microsoft Office 365 accounts belonging to department employees. The attackers were able to access all email communications as well as message attachments, the Justice Department notes.

The supply chain attack that originally targeted SolarWinds led to follow-on attacks that affected about 100 companies and at least nine federal agencies, including the Justice Department. The cyberespionage campaign was uncovered in December 2020 by security firm FireEye. In April, the Biden administration attributed the attacks to the Russian Foreign Intelligence Service, or SVR (see: US Sanctions Russia Over SolarWinds Attack, Election Meddling).

During the part of the campaign that targeted the 27 U.S. attorneys' offices, the Justice Department says that Russian-linked attackers had access to large amounts of employees' Office 365 email data.

"The compromised data included all sent, received, and stored emails and attachments found within those accounts during that time," according to the Justice Department's update.

The Justice Department first acknowledged that it had been targeted by the SolarWinds attackers on Dec. 24, 2020. At the time, a spokesman noted that about 3% of the department's Office 365 email accounts had been compromised, but provided no additional details. The DOJ added, however, that none of its classified systems had been breached during the intrusion.

Besides the Justice Department, the Treasury, Commerce, State, Energy and Homeland Security departments were all targeted by the SolarWinds attackers (see: CISA Shifting Einstein Detection System Deeper Into Networks).

New York Offices

While federal prosecutors' offices in 15 states and Washington, D.C., were compromised, the Justice Department notes that the attackers seemed to pay more attention to the four U.S. Attorneys' Offices that cover New York State.

"While other districts were impacted to a lesser degree, the APT group gained access to the O365 email accounts of at least 80% of employees working in the U.S. Attorneys’ offices located in the Eastern, Northern, Southern, and Western Districts of New York," according to the Justice Department update. "The Executive Office for U.S. Attorneys has notified all impacted account holders and the Department has provided guidance to identify particular threats."

The Justice Department did not specify why such a large number of email accounts at these four offices were compromised. Other notable U.S. attorneys' offices that were caught up in this part of the cyberespionage campaign include the Northern District of California, the District of Columbia, the Eastern District of Virginia and the Western District of Washington.

SolarWinds Investigation

While the Biden administration placed the blame for the SolarWinds attack on Russia, the campaign and the techniques used by the attackers remain under investigation. Congress has also held several hearings about the incident (see: Senators Push for Changes in Wake of SolarWinds Attack).

At the RSA Conference in May, SolarWinds CEO Sudhakar Ramakrishna noted that further investigations by his company had revealed that the attackers may have started their reconnaissance activity in January 2019.

From what investigators have been able to uncover, it appears that the Russian-linked attackers managed to get inside SolarWinds' build environment and place a backdoor into the system, which was then wrapped into the company's legitimate Orion network management software without detection.

This Trojanized update was later distributed to as many as 18,000 of the company's customers. This then led to follow-on attacks on about 100 companies and nine government agencies.

The cyberespionage campaign appears to have gone undetected throughout most of 2020, until December, when FireEye came forward on Dec. 8, saying its red team tools had been stolen. After that announcement, the intrusion was traced to the backdoored Orion software (see: Federal Agencies Struggling With Supply Chain Security).

Concerns over SolarWinds and Russia's role in the incident, as well as a number of ransomware attacks that appear to have been conducted by cybercriminals working within the borders of Russia, made cybersecurity one of the main topics of discussion between President Joe Biden and Russian President Vladimir Putin during one-on-one talks in June (see: Analysis: The Cyber Impact of Biden/Putin Summit Meeting).

Federal Response

The SolarWinds attack has also prompted the federal government to rethink its approach to cybersecurity. At a March hearing of the Senate Homeland Security and Governmental Affairs Committee, Christopher DeRusha, the federal CISO, told lawmakers that U.S. government agencies need to implement the "zero trust" security model, which assumes networks have been compromised and focuses on authenticating identity when a user attempts to access a device, application or system (see: The Case for 'Zero Trust' Approach After SolarWinds Attack).

The Biden administration has also published an extensive executive order that will prompt federal government agencies to revamp their cybersecurity plans, including developing new ways to evaluate and rate software that the federal government buys from the private sector.

About the Author

Scott Ferguson

Scott Ferguson

Former Managing Editor, GovInfoSecurity, ISMG

Ferguson was the managing editor for the GovInfoSecurity.com media website at Information Security Media Group. Before joining ISMG, he was editor-in-chief at eWEEK and director of audience development for InformationWeek. He's also written and edited for Light Reading, Security Now, Enterprise Cloud News, TU-Automotive, Dice Insights and DevOps.com.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.