SolarWinds Office 365 environment compromised

More details have emerged about how nation-state threat actors compromised SolarWinds.

In an update published Wednesday, SolarWinds president and CEO Sudhakar Ramakrishna, said the company's ongoing investigation determined that the nation-state actors behind the supply chain attack got into SolarWinds' Office 365 environment first. From there, the threat actors compromised credentials of the employees, got privileged access to the Orion build environment and then added the backdoor to software updates for the platform. The campaign led to the infected updates and compromise of high-profile customers like government agencies and technology giants.

A main component of the investigation is determining the attack vectors. According to Ramakrishna's update, the Office 365 compromise most likely occurred through a "compromise of credentials and/or access through a third-party application via an at the time zero-day vulnerability."

"As previously reported, this analysis has determined threat actors gained unauthorized access to our environment and conducted reconnaissance prior to the trail conducted on our Orion Platform software build in October 2019. We have not yet determined the exact date that the threat actors first gained unauthorized access to our environments," Ramakrishna wrote in the blog. "While we've confirmed suspicious activity related to our Office 365 environment, our investigation has not identified a specific vulnerability in Office 365 that would have allowed the threat actor to enter our environment through Office 365."

However, it is not clear if the investigation team has ruled out the possibility.

Ramakrishna did confirm in the update that "a SolarWinds email account was compromised and used to programmatically access accounts of targeted SolarWinds personnel in business and technical roles."

SolarWinds declined to comment further about how that account was compromised.

In another blog post Wednesday, Ramakrishna addressed the company's revamped security practices moving forward. Those include a zero trust and least privilege access network, as well as mitigating third-party risks by increasing ongoing monitoring and inspection of all SaaS tools within the SolarWinds environment.

The investigation update comes seven weeks after SolarWinds first announced the supply chain attack. Since then, many victims have been revealed, including SolarWinds customer Microsoft. On Dec. 31, the tech giant confirmed that hackers had accessed Microsoft source code but did not alter or obtain it. Prior to that, Microsoft was part of a joint effort with FireEye and GoDaddy to create a kill switch for the malware, which FireEye dubbed "Sunburst."

Additionally, other vendors have reported breaches of their Office 365 environments. Malwarebytes disclosed last month it was targeted by the same threat actors responsible for the SolarWinds hacks, though it is not a SolarWinds customer. Malwarebytes CEO Marcin Kleczynski confirmed in a blog post the existence of another intrusion vector that works by abusing a "dormant email protection product" with privileged access to Microsoft Office 365 and Azure environments.

Mimecast was also breached by the same nation-state actors. Microsoft alerted the email security vendor that a Mimecast-issued certificate for Microsoft 365 Exchange Web Services authentication was stolen by a sophisticated actor. While they did not initially connect the incident to the SolarWinds hack, Mimecast eventually confirmed that the digital certificate was stolen by the same threat group behind the SolarWinds attacks.