Mimecast says SolarWinds hackers stole some of its source code

Email security company Mimecast has updated today its January 2021 data breach disclosure to add that intruders downloaded some of its source code.

The email security firm previously disclosed a data breach on January 12, 2021, and then confirmed that the breach occurred via a trojanized version of the SolarWinds Orion app on January 26.

At the time, Mimecast said that hackers —believed to be a cyber-espionage group working on behalf of the Russian government— used a backdoor implanted in the Orion IT monitoring platform to gain a foothold and breach its internal network.

The intruders used this access to steal a certificate that Mimecast provided to its customers so they could authenticate and interconnect Mimecast products (such as Sync and Recover; Continuity Monitor; and IEP) with Microsoft 365 Exchange Web Services infrastructure.

Mimecast said that attackers used the stolen cert to access the Microsoft accounts but that these intrusions were only limited to "a single-digit number" customers.

In addition, an investigation conducted with security firm FireEye also found that hackers moved across Mimecast's internal network.

"We determined that the threat actor leveraged our Windows environment to query, and potentially extract, certain encrypted service account credentials created by customers hosted in the United States and the United Kingdom," Mimecast said on January 26.

"These credentials establish connections from Mimecast tenants to on-premise and cloud services, which include LDAP, Azure Active Directory, Exchange Web Services, POP3 journaling, and SMTP-authenticated delivery routes."

New findings point to source code theft

But in an updated statement published today, Mimecast said it discovered new corners of its internal network that hackers also gained access to.

"All compromised systems were Windows-based and peripheral to the core of our production customer infrastructure," the company said.

Mimecast said it replaced all compromised servers "to eliminate the threat," and that after investigation, it found no evidence that the threat actor accessed email or archive content that the company was storing on the impacted servers on behalf of its customers.

However, the follow-up investigation also found out that the intruders managed to pivot to Mimecast's code hosting repositories from where they downloaded some parts of the company's source code —in the same way they also stole source code from Microsoft's internal network.

And just like in the case of the Microsoft incident, Mimecast said the intruders only stole some small portions of the code and not all of its projects.

"We believe that the source code downloaded by the threat actor was incomplete and would be insufficient to build and run any aspect of the Mimecast service," the company said today.

"We found no evidence that the threat actor made any modifications to our source code nor do we believe that there was any impact on our products," it added.