In November 2020, months after the DOJ completed mitigation of the breach, Mandiant discovered it had been hacked, and discovered the breach the following month with the Orion software on one of its servers. An investigation into the software revealed that it contained a backdoor that hackers planted in Orion’s software, according to data compiled by SolarWinds in February 2020. The infected software was released to 18,000 SolarWinds customers, who downloaded it between March and June. That’s when the DOJ discovered the unusual traffic coming out of the Orion server. But the hackers chose only a small portion of these for their espionage. They infiltrated the infected federal agencies and nearly 100 other organizations, including technology companies, government agencies, defense contractors and think tanks.
Mandiant itself was released by Orion Software in 2011. It’s July 28, 2020, the company told WIRED, which coincides with when the company is helping the DOJ investigate the breach.
When asked why, when the company disclosed the supply chain hack in December, it did not publicly disclose that it had been following up on an incident in the government network related to the SolarWinds campaign months earlier, a spokesperson said: “We identified public, other compromised customers as we went along.”
The event highlights the importance of information sharing between agencies and industry, which the Biden administration has emphasized. Although the DOJ notified CISA, a National Security Agency spokesperson told WIRED that the agency did not learn of the DOJ’s first breach until January 2021 after subpoenaing employees of several federal agencies.
That same month, the DOJ—whose more than 100,000 employees cover multiple agencies including the FBI, the Drug Enforcement Agency, and the U.S. Marshals Service—publicly disclosed that the hackers behind the SolarWinds campaign accessed 3 percent of Office 365 mailboxes. There are conflicting reports as to whether this attack was part of the Solar Winds campaign or whether it was carried out by the same actors. Six months later, the department expanded and said hackers had breached employee email accounts at 27 US attorneys’ offices, including those in California, New York and Washington, D.C.
In its latest statement, the DOJ said it wanted to provide new details to “encourage transparency and strengthen the nation’s resilience,” including that hackers are believed to have accessed hacked accounts between May 7 and December 27, 2020. The hacked data included “all sent, received and stored emails and attachments found in those accounts”.
DOJ incident investigators weren’t the only ones to stumble upon early evidence of the breach. At the same time as the department did, security firm Volexti, as the company previously reported, accessed the company’s Orion server in an investigation into the breach at the US research tank. In September, security firm Palo Alto Networks also discovered unusual activity related to the Orion server. Volexity suspected that there might be a backdoor on the client’s server, but ended the investigation without finding one. Palo Alto Networks contacted SolarWinds, as did DOJ, but in that case, they couldn’t figure out the problem.
Oregon Democrat Senator Ron Wyden, who criticized the government’s failure to prevent and detect it at the start of the campaign, said the revelation shows the need for an investigation into how the US government responded to the attack and missed opportunities to stop it. .
“The Russian Solar Winds hacking campaign succeeded only because of a series of failures by the US government and its industry partners,” he wrote in an email. “I have seen no evidence that the executive branch has thoroughly investigated and addressed these failures. The federal government is investigating the problem as soon as possible so that other software used by the government in the future can be found and fixed as soon as possible.