The SolarWinds hackers potentially accessed three percent of the US Justice Department’s Office 365 mailboxes in what the department is classifying as a “major incident.”
The Justice Department said it learned 24 December that suspected Russian hackers had gained access to the department’s Microsoft Office 365 environment, department spokesman Marc Raimondi said Wednesday. After learning of this malicious activity, the Justice Department said it eliminated the identified method by which the hacker was accessing the department’s Office 365 email environment.
“At this point, the number of potentially accessed Office 365 mailboxes appears limited to around 3 percent, and we have no indication that any classified systems were impacted,” Raimondi said in a statement.
The announcement makes the Justice Department at least the eighth US government agency to reportedly be hit by the SolarWinds hackers. Official disclosures and media reports have indicated the Commerce Department, Defense Department, Energy Department, Homeland Security Department, National Institute of Health, State Department and Treasury Department were also compromised.
Nearly ten federal agencies experienced follow-on activity on their systems after being compromised through a malicious update to their SolarWinds Orion network monitoring platform, the U.S. Cyber Unified Coordination Group (UCG) announced yesterday. The UCG also said a Russian Advanced Persistent Threat (APT) group is likely behind the SolarWinds breach for intelligence gathering purposes.
As part of its ongoing technical analysis, the Justice Department said it determined that the Office 365 compromise constitutes a major incident under the Federal Information Security Modernization Act, and is taking steps consistent with that determination. The department said it’ll continue to notify the appropriate federal agencies, Congress, and the public as warranted, according to Raimondi.
The Justice Department discovered their Office 365 compromise just two days after The New York Times reported that hackers had seized upon a Microsoft flaw to infiltrate the email system used by the US Treasury Department’s senior leadership. The hackers did a complex step inside Office 365 to create an encrypted “token” that tricked the Treasury’s system into thinking the hackers were legitimate users.
That tricked the Treasury Department’s system into thinking the hackers were legitimate users, meaning the hackers were able to sign on without having to guess user names and passwords, Sen. Ron Wyden, D-Ore., told The Times on Dec. 22. Like the Justice Department, the Treasury Department also didn’t see any evidence that hackers had gotten into their classified systems, Secretary Steven Mnuchin said.
One day before the Justice Department discovered its breach, CrowdStrike disclosed that hackers tried to attack the endpoint security giant through a Microsoft reseller’s Azure account. The reseller’s Azure account was used for managing CrowdStrike’s Microsoft Office licenses, and the hackers failed in their attempt to read the company’s email, CrowdStrike said.
Microsoft told CRN USA on 24 December that if a customer buys a cloud service from a reseller and allows the reseller to retain administrative access, then a compromise of reseller credentials would grant access to the customer’s tenant. The abuse of access would not be a compromise of Microsoft’s services themselves, according to the company.
Reuters reported 17 December that Microsoft was compromised via SolarWinds, with suspected Russian hackers then using Microsoft’s own products to further the attacks on other victims. Microsoft said at the time that sources for the Reuters report are “misinformed or misinterpreting their information,” but acknowledged the software giant had “detected malicious SolarWinds binaries” in its environment.
Microsoft reaffirmed on 31 December that it’s found no indications that its systems were used to attack others.