The US Department of Justice confirmed today that the hackers behind the SolarWinds supply chain attack targeted its IT systems, where they escalated access from the trojanized SolarWinds Orion app to move across its internal network and access the email accounts of some of its employees.
"At this point, the number of potentially accessed O365 mailboxes appears limited to around 3-percent and we have no indication that any classified systems were impacted," DOJ spokesperson Marc Raimondi said in a short press release published earlier today.
With DOJ employee numbers estimated at around 100,000 to 115,000, the number of impacted DOJ employees is currently believed to be around 3,000 to 3,450.
The DOJ said it has now blocked the attacker's point of entry.
The DOJ now joins a long list of companies and government agencies that publicly admitted to having been impacted in the SolarWinds hack. Previous victims include the likes of:
- The US Treasury Department
- The US Department of Commerce's National Telecommunications and Information Administration (NTIA)
- The Department of Health's National Institutes of Health (NIH)
- The Cybersecurity and Infrastructure Agency (CISA)
- The Department of Homeland Security (DHS)
- The US Department of State
- The National Nuclear Security Administration (NNSA)
- The US Department of Energy (DOE)
- Three US state governments
- City of Austin
- Many hundreds more, such as Cisco, Intel, VMWare, and others.
SolarWinds hack part of a Russian intelligence-gathering effort
The SolarWinds supply chain attack came to light on December 14 when Microsoft and FireEye confirmed that hackers gained access to the internal network of IT software company SolarWinds where they inserted malware inside multiple update packages for the Orion software inventory and IT monitoring platform.
Around 18,000 private companies and government organizations downloaded these trojanized Orion updates and were infected with a version of the Sunburst (Solorigate) backdoor trojan.
However, in a subsequent analysis published since the original attack, security firms and US cyber-security agencies investigating the hack said that hackers escalated the attack only on a few of the infected companies.
This escalation relied on deploying a second-phase malware strain named Teardrop, taking control of the local network, and then pivoting to gain access to the victim company's cloud and email infrastructure, with the purpose of gathering intelligence on the target's recent activities.
In a joint statement published yesterday, the FBI, CISA, ODNI, and the NSA attributed the SolarWinds supply chain attack to an Advanced Persistent Threat (APT) actor, likely Russian in origin."
The four agencies described the entire SolarWinds operation as "an intelligence gathering effort," rather than an operation looking to destroy or cause mayhem among US IT infrastructure.