SolarWinds: Russian Hackers Breached Emails from 27 US Attorneys

SolarWinds: Russian Hackers Breached Emails from 27 US Attorneys

The US Department of Justice states that the Microsoft Office 365 email accounts of employees at 27 US Attorneys’ offices were hijacked after the Russian Foreign Intelligence Service (SVR) during the SolarWinds global hacking orgy.

“The APT is believed to have access to negotiate accounts from around May 7 to December 27, 2020,” the Department of Justice said in a statement issued earlier today. “The negotiated data consist of all sent, received and preserved emails and attachments discovered inside these accounts during that time.”

“While various places are impacted to a lesser degree, the APT group gained access to the office 365 email accounts of at least 80 percent of working in the U.S. Attorneys’’ offices located in the Eastern, Northern, Southern, and Western Districts of New York.”

United States Attorneys’ offices hijacked during the attacks that had at least on employees’ Microsoft O365 email accounts negotiated as part of the SolarWinds supply-chain attack directly impacting the U.S. government and the private sector.

Below is the List of Impacting US Government and Private Sectors

  • Central District of California;
  • Northern District of California;
  • District of Columbia;
  • Northern District of Florida;
  • Middle District of Florida;
  • Southern District of Florida;
  • Northern District of Georgia;
  • District of Kansas;
  • District of Maryland;
  • District of Montana;
  • District of Nevada;
  • District of New Jersey;
  • Eastern District of New York;
  • Northern District of New York;
  • Southern District of New York;
  • Western District of New York;
  • Eastern District of North Carolina;
  • Eastern District of Pennsylvania;
  • Middle District of Pennsylvania;
  • Western District of Pennsylvania;
  • Northern District of Texas;
  • Southern District of Texas;
  • Western District of Texas;
  • District of Vermont;
  • Eastern District of Virginia;
  • Western District of Virginia; and
  • Western District of Washington.

Even though various districts were also impacted by the attacks to a lesser degree, the Russian SVR state hackers handle to hijack the O365 email accounts of at least 80 percent of employees from the US Attorneys’ offices situated in the Eastern, Northern, Southern, and Western Districts of New York.

“After knowing all about the malicious activity, the Office of the Chief Information Officer eliminated the discovered method by which the threat actor was accessing the O365 email environment and in accordance with FISMA, the department took steps to alert the appropriate federal agencies, Congress, and the public as warranted,” the DOJ added.

 The DOJ also confirmed that the hacking group behind the SolarWinds supply-chain attack hijacked the Department’s Microsoft O365 email environment in a statement posted on January 6, 2021.

In April, the United States government formally accused the Russian government of orchestrating the SolarWinds attack.

The White House named the SVR’s hacking division (aka APT29, The Dukes, or Cozy Bear) as the group behind the cyber espionage activity exploiting the SolarWinds Orion platform, which permitted them to access the networks of multiple US federal agencies and private tech sector firms.

SolarWinds Orion Supply-Chain Attack

The threat actors hijacked SolarWind’s internal systems and trojianized the Orion Software Platform source code and build released between March 2020 and June 2020.

SolarWinds-Russian-Hackers-Breached-Emails-from-27-US-Attorneys-image1

These malicious builds were later utilized to set up a backdoor tracked as Sunburst to “less than 18,000” victims, but, fortunately, the threat actors only picked a substantially lower number of targets for second-stage exploitation.

Multiple US govt agencies later confirmed that they were hijacked. Some of them are mentioned below:

  • Department of the Treasury
  • National Telecommunications and Information Administration (NTIA)
  • Department of State
  • National Institutes of Health (NIH) (part of the U.S. Department of Health)
  • Department of Homeland Security (DHS)
  • Department of Energy (DOE)
  • National Nuclear Security Administration (NNSA)

SolarWinds reported expense $3.5 million from the last year’s supply-chain attack in March, including costs related to remediation and incident investigations.

Leave a Reply