Mimecast reveals source code theft in SolarWinds hack

Some customer records were also compromised in the breach.
Written by Charlie Osborne, Contributing Writer

Mimecast has revealed the theft of its source code in a cyberattack linked to the SolarWinds breach

According to Mimecast's security incident disclosure, published on March 16, a malicious SolarWinds Orion update was used to access the company's production grid environment. 

The cloud and email security firm said "a limited number of source code repositories" were downloaded during a cyberattack in January, but added that the company currently has "no evidence" that this code was maliciously modified or that the loss will impact any existing products. 

"We have no evidence that the threat actor accessed email or archive content held by us on behalf of our customers," Mimecast says. "We believe that the source code downloaded by the threat actor was incomplete and would be insufficient to build and run any aspect of the Mimecast service."

Alongside the source code theft, some Mimecast-issued certificates and limited customer server connection datasets were compromised by attackers.

Mimecast was made aware of a certificate security issue by Microsoft in January, which told the company a certificate used to authenticate Mimecast Sync and Recover, Continuity Monitor, and IEP was being exploited to target a small number of M365 tenants from non-Mimecast IP addresses. 

A new certificate connection was issued before Microsoft disabled the hijacked certificate on Mimecast's request. 

In addition, the unidentified threat actors were able to access email addresses, contact information, and credentials, but the latter was encrypted or hashed/salted. 

The SolarWinds supply chain attack, first disclosed in December, has impacted thousands of enterprise and government organizations. Software vendor SolarWinds was breached and an update for its Orion software was infected with malware before being pushed to countless users -- immediately creating a widespread supply chain-based chain of compromise. 

Mimecast and FireEye's Mandiant team have been working together on an investigation of the security breach. According to the companies, the initial intrusion was made through Sunburst malware loaded alongside the malicious Orion update.

Mimecast recommends that customers in the US and UK reset any server connection credentials used on the Mimecast platform as a "precautionary measure." 

The cloud security firm says that hashed credentials are also being reset, and customers involved in the breach have been notified. Mimecast has also upgraded its encryption algorithm for stored credentials and has pulled SolarWinds Orion from its infrastructure. All impacted servers have been replaced. 

Microsoft estimates that the attack, suspected of being the handiwork of Russian state-sponsored group Nobelium, may have required the efforts of up to 1,000 engineers to create. 

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards