Thousands of Department of Justice (DoJ) email accounts were accessed by SolarWinds attackers last year, the department has confirmed.
The US Department of Justice is one of the rare SolarWinds victims where hackers escalated the hack to a second phase and moved to access internal email inboxes, the agency said today.
The US Department of Justice confirmed today that the hackers behind the SolarWinds supply chain attack targeted its IT systems, where they escalated access from the trojanized SolarWinds Orion app to move across its internal network and access the email accounts of some of its employees.
“On December 24, 2020, the Department of Justice’s Office of the Chief Information Officer (OCIO) learned of previously unknown malicious activity linked to the global SolarWinds incident that has affected multiple federal agencies and technology contractors, among others.
This activity involved access to the department’s Microsoft Office 365 email environment,” it explained.
“At this point, the number of potentially accessed O365 mailboxes appears limited to around 3-percent and we have no indication that any classified systems were impacted,” DOJ spokesperson Marc Raimondi said in a short press release published earlier today.
“After learning of the malicious activity, the OCIO eliminated the identified method by which the actor was accessing the Office 365 email environment. At this point, the number of potentially accessed Office 365 mailboxes appears limited to around 3% and we do not indicate that any classified systems were impacted.”
With DOJ employee numbers estimated at around 100,000 to 115,000, the number of impacted DOJ employees is currently believed to be around 3,000 to 3,450.
Even if no “classified systems” were impacted, this represents a major security breach that could have given attackers access to strategically useful information and provided a staging post for convincing phishing attacks on other government users.
The DOJ said it has now blocked the attacker’s point of entry.
The DOJ now joins a long list of companies and government agencies that publicly admitted to having been impacted in the SolarWinds hack. Previous victims include the likes of:
- The US Treasury Department
- The US Department of Commerce’s National Telecommunications and Information Administration (NTIA)
- The Department of Health’s National Institutes of Health (NIH)
- The Cybersecurity and Infrastructure Agency (CISA)
- The Department of Homeland Security (DHS)
- The US Department of State
- The National Nuclear Security Administration (NNSA)
- The US Department of Energy (DOE)
- Three US state governments
- City of Austin
- Many hundreds more, such as Cisco, Intel, VMWare, and others.
The DoJ admitted that the activity it detected constitutes a “major incident” under the Federal Information Security Modernization Act, and said it “is taking the steps consistent with that determination.”
Agencies Blame Russia
The DoJ issued a brief statement yesterday to shed more light on the impact of the attacks, which the government has so far acknowledged and blamed on Russia, but done little else to clarify.
In a joint statement published yesterday, the FBI, CISA, ODNI, and the NSA attributed the SolarWinds supply chain attack to an Advanced Persistent Threat (APT) actor, likely Russian in origin.”
The four agencies described the entire SolarWinds operation as “an intelligence-gathering effort,” rather than an operation looking to destroy or cause mayhem among US IT infrastructure.