DOJ Employee Email Accounts Accessed by SolarWinds Hackers

January 6, 2021 Updated: January 6, 2021

The Justice Department confirmed Wednesday that its employees’ email accounts had been accessed by the hackers who broke into software company SolarWinds.

The department discovered the breach on Dec. 24, 2020, and has eliminated the identified method by which the hackers had accessed its Microsoft Office 365 email environment, spokesperson Marc Raimondi said in a statement.

“At this point, the number of potentially accessed [Microsoft Office 365] mailboxes appears limited to around 3 percent and we have no indication that any classified systems were impacted,” Raimondi said.

The department has more than 110,000 employees across multiple law enforcement agencies including the Federal Bureau of Investigation (FBI). Although Raimondi didn’t provide a precise number of email accounts affected, a three percent breach could mean that the hackers accessed about 3,000 email accounts.

According to a joint statement issued Tuesday by the FBI, the Office of the Director of National Intelligence, the National Security Agency, and the Cybersecurity and Infrastructure Security Agency, the recently discovered infiltration into U.S. government and private networks via compromised SolarWinds systems is likely associated with Russia.

“This work indicates that an Advanced Persistent Threat actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks,” the intelligence agencies said.

“At this time, we believe this was, and continues to be, an intelligence gathering effort,” the agencies said. “We are taking all necessary steps to understand the full scope of this campaign and respond accordingly.”

In a December 2020 filing with the Securities and Exchange Commission, SolarWinds said that the data of some 18,000 customers could be compromised by the intrusion of SolarWinds Orion, a widely-used IT infrastructure management software.

Microsoft, the developer of Windows OS, Office, and Xbox, reported in December that it used SolarWinds Orion inside its internal network. The company later said in a blog post that the hackers behind the SolarWinds attack managed to get inside its internal network and used a small number of internal accounts to access Microsoft source code repositories.

The hackers, however, weren’t able to make any changes to the repositories they accessed, since the compromised accounts did not have permissions to modify any code, according to Microsoft.

“At Microsoft, we have an inner source approach—the use of open source software development best practices and an open source-like culture—to making source code viewable within Microsoft,” the company explained. “This means we do not rely on the secrecy of source code for the security of products, and our threat models assume that attackers have knowledge of source code. So viewing source code isn’t tied to elevation of risk.”