In November 2020, months after the Justice Department finished mitigating its hack, Mandiant discovered it had been compromised, and traced its breach to Orion software on one of its servers the following month. An investigation into the software revealed that it contained a backdoor that hackers embedded in the Orion software while it was being compiled by SolarWinds in February 2020. The contaminated software was released to about 18,000 SolarWinds customers, who downloaded it between March and June, at the time the DOJ discovered Anomalous traffic coming out of its own Orion server. However, hackers chose only a small subset of these to target their espionage operations. They penetrated further into infected federal agencies and about 100 other organizations, including technology companies, government agencies, defense contractors and think tanks.
Mandiant itself was infected with the Orion software on July 28, 2020, the company told WIRED, which would have coincided with the period the company was helping the Justice Department investigate its breach.
When asked why, when the company announced the supply chain breach in December, it did not publicly disclose that it had been tracking a SolarWinds-related incident in a government network months earlier, its spokesperson only noted that “when we went public, we identified other customers.” hackers”.
The incident underscores the importance of sharing information between agencies and industry, something the Biden administration has emphasized. Although CISA was notified by the Justice Department, an NSA spokesperson told WIRED that it did not learn of the early Justice Department breach until January 2021, when the information was shared on a call among employees of several federal agencies.
It was the same month that the Department of Justice — which employs more than 100,000 employees from multiple agencies including the FBI, Drug Enforcement Agency and U.S. Marshals Service — revealed that the hackers behind the SolarWinds campaign may have gained access to about 3 percent from their Office 365 mailboxes. Six months later, the administration expanded on this and announced that hackers had managed to break into the email accounts of employees at 27 US Attorney’s offices, including offices in California, New York, and Washington, D.C.
In its latest statement, the DOJ said that in order to “encourage transparency and strengthen the nation’s resilience,” it wanted to provide new details, including that the hackers are believed to have accessed the compromised accounts from May 7 to December 27, 2020. The compromised data included “All emails and attachments sent, received, and stored that were found within those accounts during that time.”
Justice Department incident investigators weren’t the only ones to find early evidence of the breach. Around the same time as the department’s investigations, security firm Volexity, as the company previously reported, was also investigating a breach at a US think tank and traced it to the organization’s Orion server. Later in September, security firm Palo Alto Networks also detected unusual activity regarding its Orion server. Volexity suspected there might be a backdoor on its client’s server but ended the investigation without finding one. Palo Alto Networks contacted SolarWinds, as did the Department of Justice, but in this case, too, they failed to identify the problem.
Sen. Ron Wyden, D-Oregon, who has criticized the government’s failure to prevent and detect the campaign in its early stages, says the revelations illustrate the need for an investigation into how the US government responded to the attacks and missed opportunities to stop them. .
“The SolarWinds Russian hacking campaign was only successful because of a series of cascading failures by the US government and its industry partners,” he wrote in an email. I have seen no evidence that the executive branch has thoroughly investigated and addressed these failures. The federal government urgently needs to get to the bottom of what went wrong so that in the future backdoors in other programs used by the government can be detected and immediately neutralized.”