SolarWinds hackers had access to roughly 3% of US DOJ O365 mailboxes

The US DoJ revealed that threat actors behind the SolarWinds attack have gained access to roughly 3% of the department’s O365 mailboxes.

The US Department of Justice (DoJ) published a press release to confirm that the threat actors behind the SolarWinds supply chain attack were able to access thousands of mailboxes of its employees.

“On Dec. 24, 2020, the Department of Justice’s Office of the Chief Information Officer (OCIO) learned of previously unknown malicious activity linked to the global SolarWinds incident that has affected multiple federal agencies and technology contractors, among others.  This activity involved access to the Department’s Microsoft O365 email environment.” reads the update provided by the DoJ on the SolarWinds attack. 

“After learning of the malicious activity, the OCIO eliminated the identified method by which the actor was accessing the O365 email environment.  At this point, the number of potentially accessed O365 mailboxes appears limited to around 3-percent and we have no indication that any classified systems were impacted.”

DoJ confirmed the number of potentially accessed O365 mailboxes is around 3-percent, it also added that government experts are not aware of impacted classified systems.

considering that the DoJ has around 115,000 employees, this implies that attackers gained access to roughly 3450 mailboxes. The DOJ announced to have lockout the intruders.

“As part of the ongoing technical analysis, the Department has determined that the activity constitutes a major incident under the Federal Information Security Modernization Act, and is taking the steps consistent with that determination.  The Department will continue to notify the appropriate federal agencies, Congress, and the public as warranted.”” concludes the press release.

The US agencies FBI, CISA, ODNI, and the NSA released a joint statement that blames Russia for the SolarWinds supply chain attack.

On behalf of President Trump, the four agencies were part of the task force Cyber Unified Coordination Group (UCG) that is coordinating the investigation and remediation of the SolarWinds hack that had a significant impact on federal government networks. The UCG’s investigation is still ongoing to determine the scope of the incident.

According to the UCG’s statement, the attack was orchestrated by an Advanced Persistent Threat (APT) actor, likely Russian in origin.

Recently the US Cybersecurity and Infrastructure Security Agency (CISA) has updated its official guidance to order US federal agencies to update the SolarWinds Orion platforms by the end of the year.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, DoJ)

[adrotate banner=”5″]

[adrotate banner=”13″]