SolarWinds Hackers Also Accessed U.S. Justice Department’s Email Server

SolarWinds Hackers

The U.S. Department of Justice on Wednesday became the latest government agency in the country to admit its internal network was compromised as part of the SolarWinds supply chain attack.

“On December 24, 2020, the Department of Justice’s Office of the Chief Information Officer (OCIO) learned of previously unknown malicious activity linked to the global SolarWinds incident that has affected multiple federal agencies and technology contractors, among others,” DoJ spokesperson Marc Raimondi said in a short statement. “This activity involved access to the Department’s Microsoft Office 365 email environment.”

Calling it a “major incident,” the DoJ said the threat actors who spied on government networks through SolarWinds software potentially accessed about 3% of the Justice Department’s email accounts, but added there’s no indication they accessed classified systems.

The disclosure comes a day after the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA) issued a joint statement formally accusing an adversary “likely Russian in origin” for staging the SolarWinds hack.

The agencies described the entire SolarWinds operation as “an intelligence gathering effort.”

The espionage campaign, which originated in March 2020, worked by delivering malicious code that piggybacked on SolarWinds network-management software to as many as 18,000 of its customers, although additional intrusive activity is believed to have been conducted only against select targets.

In a separate development, The New York Times, Reuters, and The Wall Street Journal reported intelligence bureaus are probing the possibility that JetBrains’ TeamCity software distribution system was breached and “used as a pathway for hackers to insert back doors into the software of an untold number of technology companies.”

TeamCity is a build management and continuous integration server offered by the Czech software development company. JetBrains counts 79 of the Fortune 100 companies as its customers, including SolarWinds.

But in a blog post published by its CEO Maxim Shafirov, the company denied being involved in the attack in any way, or that it was contacted by any government or security agency regarding its role in the security incident.

“SolarWinds is one of our customers and uses TeamCity, which is a Continuous Integration and Deployment System, used as part of building software,” Shafirov said. “SolarWinds has not contacted us with any details regarding the breach and the only information we have is what has been made publicly available.”

Shafirov also stressed that in the event if TeamCity had been used to compromise SolarWinds, it could be due to a misconfiguration, and not a specific vulnerability.

Source

Leave a Reply