27 US Attorneys’ Offices Breached in SolarWinds Attack

The US Department of Justice revealed Microsoft Office 365 email accounts of employees of 27 US Attorneys’ offices were breached during the SolarWinds attack by the Russian Foreign Intelligence Service (SVR).

Details of SolarWinds Attack

The DOJ issued a statement on Friday explaining “The APT is believed to have access to compromised accounts from approximately May 7 to December 27, 2020.”

“While other districts were impacted to a lesser degree, the Apt group gained access to the O365 email accounts of at least 80 percent of employees working in the U.S. Attorneys’ offices located in the Eastern, Northern, Southern, and Western Districts of New York.”

Accounts impacted in the supply-chain attack from the U.S. government and the private sector include:

Central District of California
Northern District of California
District of Columbia
Northern District of Florida
Middle District of Florida
Southern District of Florida
Northern District of Georgia
District of Kansas
District of Maryland
District of Montana
District of Nevada
District of New Jersey
Eastern District of New York
Northern District of New York
Southern District of New York
Western District of New York
Eastern District of North Carolina
Eastern District of Pennsylvania
Middle District of Pennsylvania
Western District of Pennsylvania
Northern District of Texas
Southern District of Texas
Western District of Texas
District of Vermont
Eastern District of Virginia
Western District of Virginia
Western District of Washington

At least 80 percent of employees from the US Attorneys’ offices in the Eastern, Northern, Southern, and Western Districts of New York were breached by the Russian threat actors.

In April, the US government listed APT29 (Cozy Bear) as the threat group responsible for the attack on SolarWinds’ Orion platform. After gaining initial access and editing the Orion Software platform source code, the threat actors deployed backdoors called Sunburst to victims. 300,000 SolarWinds customers were initially listed as victims on their website. 425 US Fortune 500 companies, the top ten US telecom companies, and many other government agencies.

SolarWinds disclosed at least $3.5 million in expenses from the attack in investigations and remediation.

SpearTip’s engineers understood that the fallout of the SolarWinds attack would last for months once they learned of the incident. MSPs have become a prime target for threat actors over the last year because they know they can reach many organizations at once. If your organization utilizes services from third parties, understand the connections they have with your company and allow a team of security engineers to continuously monitor your networks.

By looking at the statistics of the US organizations and governmental agencies that were impacted by the Russian threat actors, it’s evident that there are necessary improvements for these organizations from a security perspective. Although, most threat actors look to achieve financial gain, the number of governmental agencies impacted shows there may have been other motives for the attack.

Regardless of the potential motives, asking the leaders in your organization if your network is being monitored will begin the movement to a more secure business operation. SpearTip’s Security Operations Center as a Service (SOCaaS) combines an endpoint detection and response tool, ShadowSpear, with our certified, technical engineers monitoring networks continuously.