After suffering a breach in January, Mimecast found the attackers made off with more than just a digital certificate.
In an updated incident report Tuesday, the email security vendor said the breach investigation, conducted by Mandiant, has concluded and determined a few new details, including the theft of some Mimecast product source code. The vendor first disclosed the compromise of a digital certificate used for Microsoft Exchange Web Services on Jan. 12, attributing it to a sophisticated threat actor. It did not immediately connect the incident to the SolarWinds hack, which has impacted several high-profile victims since last year.
However, later that month the company revealed the attack was committed by the same threat actors behind the SolarWinds supply chain hack, though Mimecast didn't specify how its network was breached or what the attackers accessed.
Now, Mimecast has confirmed that the attackers used a backdoor in the SolarWinds Orion platform. The company also found the breached certificate was linked to several SolarWinds breaches of other organizations.
"Our investigation determined that the initial intrusion resulted from SUNBURST malware, the backdoor present in the compromised version of SolarWinds Orion software we had previously used in our environment," the report said. "The lateral movement from the initial access point to these servers is consistent with the mechanism described by Microsoft and other organizations that have documented the attack pattern of this threat actor."
Fortunately, the investigation determined that only a small number of customers were attacked through the compromised certificate. "Microsoft informed us that the threat actor used the certificate to connect to a low single-digit number of our mutual customers' M365 tenants from non-Mimecast IP address ranges," the report said.
In its third-quarter earnings call in February, Mimecast CEO Peter Bauer said "five or so" customers were impacted by the compromised certificate.
Additionally, the final investigation found that the attackers stole some source code. On Dec. 31, Microsoft confirmed that hackers viewed, but did not alter or obtain, source code. In this case as well, Mimecast said the threat actor accessed and downloaded a limited number of its source repositories, but the investigation found no evidence that any modifications were made to products.
Finally, Mimecast said there is no evidence that the threat actor accessed customers' email or archive content.
In light of the investigation, Mimecast said it decommissioned SolarWinds Orion and replaced it with the Cisco NetFlow monitoring system. The company also said it added extra host security monitoring functionality through its environment, replaced all compromised servers and rotated all credentials for Mimecast employee, systems and administrative accounts.