Mimecast's source code stolen in SolarWinds breach

But Mimecast insists the code was 'incomplete'

Security vendor Mimecast has announced that its source code was stolen in cyber attacks linked to the SolarWinds breach.

In an incident report published on its website, the company said that the hackers used the Sunburst backdoor in the compromised versions of SolarWinds Orion platform as an initial attack vector to download 'a limited number of source code repositories'.

However, there was no evidence to suggest that the attackers were able to modify the code, or that any of the company's existing products were impacted as a result of the breach.

Mimecast said the attackers downloaded incomplete code, which would be insufficient to create and run 'any aspect of the Mimecast service'.

Apart from stealing source code, the threat actors were also able to compromise some Mimecast-issued digital certificates and limited customer server connection datasets.

The firm first disclosed the compromise of a certificate used for Microsoft Exchange Web Services on 12th January. Microsoft alerted Mimecast to the certificate issue, telling the company that the attackers were exploiting the certificate to target 'a low single-digit number' of Microsoft 365 tenants from non-Mimecast IP address ranges.

After Mimecast issued a new certificate, Microsoft disabled the compromised document at Mimecast's request.

An investigation by FireEye's Mandiant division found no evidence of attackers being able to access customers' email or archive content.

The vendor says it has decommissioned SolarWinds Orion from its infrastructure,0 and replaced it with the Cisco NetFlow monitoring system.

All credentials for Mimecast systems, administrative accounts and employees have been reset and the firm has also added additional host security monitoring functionality through its environment.

Mimecast is also advising customers in the US and UK to change any server connection credentials they used on the Mimecast platform.

The long tail of SolarWinds

The update from Mimecast is the latest in the wide-scale SolarWinds hack that has impacted a large number of organisations in the US.

Researchers uncovered the hack in December, after finding that attackers had infiltrated several US government agencies that used SolarWinds software.

The attack affected several corporate networks as well. Microsoft said the attackers were able to access some source code, although they could not make any changes to it.

Cisco also confirmed that nearly two dozen computer systems researchers used in the company lab were compromised through SolarWinds-related malware.

In total, SolarWinds said that around 18,000 customers had installed the infected software.

US federal agencies said the attack was likely part of a cyber-espionage campaign conducted by a threat group with links to Russia.

In January, security researchers at Kaspersky said they had found clues suggesting a link between the SolarWinds attack and hacking tools previously used by Russia's Turla group.

Researchers said the source code for SunBurst, the malware used by SolarWinds hackers, overlapped with the Kazuar backdoor deployed by Turla to target various embassies and foreign ministers in Europe and across the world.

The Turla group, also known as Snake and Venomous Bear, has a long history of espionage-focused hacking. The group is associated with the FSB - a Russian intelligence service.