The US Department of Justice disclosed that Microsoft Office 365 email accounts of employees from 27 US Attorneys’ offices got breached by the Russian Foreign Intelligence Service (SVR) during the SolarWinds global hacking spree.
The APT is believed to have access to compromised accounts from approximately May 7 to December 27, 2020.
The compromised data included all sent, received, and stored emails and attachments found within those accounts during that time.
While other districts were impacted to a lesser degree, the APT group gained access to the O365 email accounts of at least 80 percent of employees working in the U.S. Attorneys’ offices located in the Eastern, Northern, Southern, and Western Districts of New York.
Below you can see a list of United States Attorneys’ offices that were breached during the attacks:
- Central District of California;
- Northern District of California;
- District of Columbia;
- Northern District of Florida;
- Middle District of Florida;
- Southern District of Florida;
- Northern District of Georgia;
- District of Kansas;
- District of Maryland;
- District of Montana;
- District of Nevada;
- District of New Jersey;
- Eastern District of New York;
- Northern District of New York;
- Southern District of New York;
- Western District of New York;
- Eastern District of North Carolina;
- Eastern District of Pennsylvania;
- Middle District of Pennsylvania;
- Western District of Pennsylvania;
- Northern District of Texas;
- Southern District of Texas;
- Western District of Texas;
- District of Vermont;
- Eastern District of Virginia;
- Western District of Virginia; and
- Western District of Washington.
Other districts were affected as well, but the Russian SVR state hackers managed to breach the email accounts of at least 80 percent of employees from US Attorneys’ offices located in the Eastern, Northern, Southern, and Western Districts of New York.
After learning of the malicious activity, the Office of the Chief Information Officer eliminated the identified method by which the actor was accessing the O365 email environment and in accordance with FISMA, the department took steps to notify the appropriate federal agencies, Congress, and the public as warranted.
The US Department of Justice confirmed the fact that the hacking group that was behind the SolarWinds supply-chain attack breached the Department’s Microsoft 365 email environment in a statement from January, and in April, the United States government formally accused the Russian government of being the driving force behind the SolarWinds attack.
The SolarWinds Orion Attack
The malicious actors managed to breach SolarWinds’ internal systems and trojanized the Orion Software Platform source code as well as the builds released between March 2020 and June 2020.
The malicious builds in question were then used in order to deploy a backdoor tracked as Sunburst to “fewer than 18,000” victims.
SolarWinds’s list of customers contains over 425 US Fortune 500 companies, US telecom companies, and a long list of govt agencies (the US Military, the US Pentagon, the State Department, NASA, NSA, Postal Service, NOAA, the US Department of Justice, and the Office of the President of the United States).
Following the attack, SolarWinds reported expenses of $3.5 million that are including also the costs related to remediation and incident investigation.