Mimecast has revealed that the 12 January breach of its systems using a compromised Microsoft Office 365 Exchange Web Services authentication certificate was the work of the same advanced persistent threat (APT) group behind the December 2020 SolarWinds attack, confirming a suspected link between the two incidents.
The incident affected three Mimecast products – Sync and Recover, Continuity Monitor, and Internal Email Protect. A number of Mimecast customer Office 365 tenants, understood to be in the low single digits, were targeted in the intrusion.
A subsequent forensic investigation by Mimecast and an external team of experts has now established that the active and dangerous UNC2452 group was behind the attack. The group, suspected to be linked to the Russian government, targeted US federal agencies and other cyber security companies in its action.
In a new statement, Mimecast said: “Recent threat intelligence reports have described the campaign of attacks waged by this threat actor. It is clear that this incident is part of a highly sophisticated large-scale attack and is focused on specific types of information and organisations.
“Now more than ever, transparency and cooperation within the security community are essential to an effective response. We expect that additional organisations will learn or share that they were affected by the threat actor behind the SolarWinds Orion software compromise. We have benefited from the expertise shared by others facing this threat, and we are committed to doing the same, based on our own experience, to create a more secure and resilient community.”
To date, the Mimecast investigation has found that UNC2452 accessed and potentially exfiltrated certain encrypted service account credentials created by customers in the UK and the US. The credentials in question establish connections from Mimecast tenants to on-premise and cloud services, including LDAP, Azure Active Directory, Exchange Web Services, POP3 journaling, and SMTP-authenticated delivery routes.
Mimecast said it was not aware that any of the encrypted credentials have been decrypted or used against any external targets, but it is nevertheless now taking the step of advising all its customers hosted in the UK or US to take precautionary measures and reset their credentials.
All the customers known to be affected at first were already advised to break and re-establish their connections to their Office 365 tenants with newly issued keys, and all of the compromised keys have been disabled.
Mimecast said it believed the actions taken to isolate and remediate the identified threat would be effective, but it is continuing, for now, to examine and monitor its environment, and will communicate further updates should the situation warrant it.