Security News > 2021 > March > Mimecast Finds SolarWinds Hackers Stole Some of Its Source Code
Email security firm Mimecast on Tuesday revealed that the state-sponsored SolarWinds hackers who broke into its internal network also downloaded source code out of a limited number of repositories.
"The threat actor did access a subset of email addresses and other contact information and hashed and salted credentials," the company said in a write-up detailing its investigation, adding the adversary "Accessed and downloaded a limited number of our source code repositories, as the threat actor is reported to have done with other victims of the SolarWinds Orion supply chain attack."
Mimecast said the source code downloaded by the attackers was incomplete and would be insufficient to build and run any aspect of the Mimecast service and that it did not find signs of any tampering made by the threat actor to the build process associated with the executables that are distributed to its customers.
On January 12, Mimecast disclosed that "a sophisticated threat actor" had compromised a digital certificate it provided to certain customers to securely connect its products to Microsoft 365 Exchange.
Weeks later, the company tied the incident to the SolarWinds mass exploitation campaign, noting that the threat actor accessed and possibly exfiltrated certain encrypted service account credentials created by customers hosted in the U.S. and the U.K. Pointing out that the intrusion stemmed as a result of Sunburst backdoor that was deployed via trojanized SolarWinds Orion software updates, the company said it observed lateral movement from the initial access point to its production grid environment containing a small number of Windows servers in a manner that was consistent with the attack pattern attributed to the threat actor.
Alleged to be of Russian origin, the threat actor behind the SolarWinds supply-chain attacks is being tracked under multiple names, including UNC2452, Dark Halo, SolarStorm, StellarParticle, and Nobelium.