Email security firm Mimecast on Tuesday revealed that the state-sponsored SolarWinds hackers who broke into its internal network also downloaded source code out of a limited number of repositories.
“The threat actor did access a subset of email addresses and other contact information and hashed and salted credentials,” the company said in a write-up detailing its investigation, adding the adversary “accessed and downloaded a limited number of our source code repositories, as the threat actor is reported to have done with other victims of the SolarWinds Orion supply chain attack.”
But Mimecast said the source code downloaded by the attackers was incomplete and would be insufficient to build and run any aspect of the Mimecast service and that it did not find signs of any tampering made by the threat actor to the build process associated with the executables that are distributed to its customers.
On January 12, Mimecast disclosed that that “a sophisticated threat actor” had compromised a digital certificate it provided to certain customers to securely connect its products to Microsoft 365 (M365) Exchange.
Weeks later, the company tied the incident to the SolarWinds mass exploitation campaign, noting that the threat actor accessed and possibly exfiltrated certain encrypted service account credentials created by customers hosted in the U.S. and the U.K.
Noting that the intrusion stemmed as a result of Sunburst backdoor that was deployed via trojanized SolarWinds Orion software updates, the company said it observed lateral movement from the initial access point to its production grid environment containing a small number of Windows servers in a manner that was consistent with the attack pattern attributed to the threat actor.
Although the exact number of customers who used the stolen certificate remains unknown, the company said in January that “a low single digit number of our customers’ M365 tenants were targeted.”
Alleged to be of Russian origin, the threat actor behind the SolarWinds supply-chain attacks is being tracked under multiple names, including UNC2452 (FireEye), Dark Halo (Volexity), SolarStorm (Palo Alto Unit 42), StellarParticle (CrowdStrike), and Nobelium (Microsoft).
Mimecast, which had roped Mandiant to lead its incident response efforts, said it concluded the probe earlier this month.
As part of a slew of countermeasures, the company also noted that it fully replaced the compromised Windows servers, upgraded the encryption algorithm strength for all stored credentials, implemented enhanced monitoring of all stored certificates and encryption keys and that it had decommissioned SolarWinds Orion in favor of a NetFlow monitoring system.