UK readers may have heard of the SolarWinds breach that rocked the US government and corporate world last year. However, new information has emerged that the breach may have been discovered earlier than previously thought. Mandiant, the cybersecurity company that investigated and helped the US Department of Justice (DOJ) mitigate its breach, discovered that it had been hacked in November 2020. Further investigation revealed that the hackers had infiltrated the Orion software on one of Mandiant’s servers, which had come from SolarWinds.
The compromised software had been downloaded by around 18,000 SolarWinds customers between March and June 2020. The hackers selected a small subset of these customers for further espionage operations, including federal agencies, technology firms, government agencies, defense contractors, and think tanks.
Mandiant itself was infected with the Orion software in July 2020, coinciding with the period when it was helping the DOJ investigate its breach. When the supply-chain hack was announced in December, Mandiant did not disclose that it had been tracking an incident related to the SolarWinds campaign in a government network months earlier. Mandiant stated that when they went public, they had identified other compromised customers.
This incident highlights the importance of information-sharing between agencies and industry, something that the Biden administration stresses. The DOJ had notified the Cybersecurity and Infrastructure Security Agency (CISA), but the National Security Agency did not learn of the DOJ breach until January 2021, when the information was shared in a call among employees of several federal agencies.
The DOJ publicly revealed in January 2021 that the hackers may have accessed about 3 percent of its Office 365 mailboxes. There are conflicting reports as to whether this attack was part of the SolarWinds campaign or carried out by the same actors. In May, the DOJ announced that the hackers had breached email accounts of employees at 27 US Attorneys’ offices.
Other cybersecurity firms, such as Volexity and Palo Alto Networks, also discovered anomalous activity that they eventually traced back to SolarWinds. However, despite raising the alarm, they failed to pinpoint the problem. Senator Ron Wyden has called for an investigation into how the US government responded to the attacks, stating that “Russia’s SolarWinds hacking campaign was only successful because of a series of cascading failures by the US government and its industry partners.”
The SolarWinds breach serves as a warning that even the most sophisticated security measures are susceptible to infiltration. The government and industry must prioritize information-sharing and work together to prevent similar breaches in the future.
