The US Department of Justice, Mandiant, and Microsoft stumbled upon the SolarWinds breach six months earlier than previously reported, WIRED has learned, but were unaware of the significance of what they had found.
The breach, publicly announced in December 2020, involved Russian hackers compromising the software maker SolarWinds and inserting a backdoor into software served to about 18,000 of its customers. That tainted software went on to infect at least nine US federal agencies, among them the Department of Justice (DOJ), the Department of Defense, Department of Homeland Security, and the Treasury Department, as well as top tech and security firms including Microsoft, Mandiant, Intel, Cisco, and Palo Alto Networks. The hackers had been in these various networks for between four and nine months before the campaign was exposed by Mandiant.
WIRED can now confirm that the operation was actually discovered by the DOJ six months earlier, in late May 2020—but the scale and significance of the breach wasn’t immediately apparent. Suspicions were triggered when the department detected unusual traffic emanating from one of its servers that was running a trial version of the Orion software suite made by SolarWinds, according to sources familiar with the incident. The software, used by system administrators to manage and configure networks, was communicating externally with an unfamiliar system on the internet. The DOJ asked the security firm Mandiant to help determine whether the server had been hacked. It also engaged Microsoft, though it’s not clear why the software maker was also brought onto the investigation.
It’s not known what division of the DOJ experienced the breach, but representatives from the Justice Management Division and the US Trustee Program participated in discussions about the incident. The Trustee Program oversees the administration of bankruptcy cases and private trustees. The Management Division advises DOJ managers on budget and personnel management, ethics, procurement, and security.
Investigators suspected the hackers had breached the DOJ server directly, possibly by exploiting a vulnerability in the Orion software. They reached out to SolarWinds to assist with the inquiry, but the company’s engineers were unable to find a vulnerability in their code. In July 2020, with the mystery still unresolved, communication between investigators and SolarWinds stopped. A month later, the DOJ purchased the Orion system, suggesting that the department was satisfied that there was no further threat posed by the Orion suite, the sources say.
A DOJ spokesperson confirmed that the incident and investigation occurred but wouldn’t provide any details about what investigators concluded. “While the incident response and mitigation effort was completed, the FBI’s criminal investigation remained open throughout,” the spokesperson wrote in an email. WIRED confirmed with sources that Mandiant, Microsoft, and SolarWinds were involved in discussions about the incident and investigation. All three companies declined to discuss the matter.
The DOJ told WIRED that it notified the US Cybersecurity and Infrastructure Agency (CISA) about the breach at the time it occurred—though a US National Security Agency spokesperson expressed frustration that the agency was not also notified. But in December 2020, when the public learned that a number of federal agencies were compromised in the SolarWinds campaign—the DOJ among them—neither the DOJ nor CISA revealed to the public that the operation had unknowingly been found months earlier. The DOJ initially said its chief information officer had discovered the breach on December 24.
In November 2020, months after the DOJ completed the mitigation of its breach, Mandiant discovered that it had been hacked, and traced its breach to the Orion software on one of its servers the following month. An investigation of the software revealed that it contained a backdoor that the hackers had embedded in the Orion software while it was being compiled by SolarWinds in February 2020. The tainted software went out to about 18,000 SolarWinds customers, who downloaded it between March and June, right around the time the DOJ discovered the anomalous traffic exiting its Orion server. The hackers chose only a small subset of these to target for their espionage operation, however. They burrowed further into the infected federal agencies and about 100 other organizations, including technology firms, government agencies, defense contractors, and think tanks.
Mandiant itself got infected with the Orion software on July 28, 2020, the company told WIRED, which would have coincided with the period that the company was helping the DOJ investigate its breach.
When asked why, when the company announced the supply-chain hack in December, it didn’t publicly disclose that it had been tracking an incident related to the SolarWinds campaign in a government network months earlier, a spokesperson noted only that “when we went public, we had identified other compromised customers.”
The incident underscores the importance of information-sharing among agencies and industry, something the Biden administration has emphasized. Although the DOJ had notified CISA, a spokesperson for the National Security Agency told WIRED that it didn’t learn of the early DOJ breach until January 2021, when the information was shared in a call among employees of several federal agencies.
That was the same month the DOJ—whose 100,000-plus employees span multiple agencies including the FBI, Drug Enforcement Agency, and US Marshals Service—publicly revealed that the hackers behind the SolarWinds campaign had possibly accessed about 3 percent of its Office 365 mailboxes. There are conflicting reports about whether this attack was part of the SolarWinds campaign or carried out by the same actors. Six months later, the department expanded on this and announced that the hackers had managed to breach email accounts of employees at 27 US Attorneys’ offices, including ones in California, New York, and Washington, DC.
In its latter statement, the DOJ said that to “encourage transparency and strengthen homeland resilience,” it wanted to provide new details, including that the hackers were believed to have had access to compromised accounts from about May 7 to December 27, 2020. And the compromised data included “all sent, received, and stored emails and attachments found within those accounts during that time.”
The investigators of the DOJ incident weren’t the only ones to stumble upon early evidence of the breach. Around the same time of the department’s investigation, security firm Volexity, as the company previously reported, was also investigating a breach at a US think tank and traced it to the organization’s Orion server. Later in September, the security firm Palo Alto Networks also discovered anomalous activity in connection with its Orion server. Volexity suspected there might be a backdoor on its customer’s server but ended the investigation without finding one. Palo Alto Networks contacted SolarWinds, as the DOJ had, but in that case as well, they failed to pinpoint the problem.
Senator Ron Wyden, an Oregon Democrat who has been critical of the government’s failure to prevent and detect the campaign in its early stages, says the revelation illustrates the need for an investigation into how the US government responded to the attacks and missed opportunities to halt it.
“Russia’s SolarWinds hacking campaign was only successful because of a series of cascading failures by the US government and its industry partners,” he wrote in an email. “I haven’t seen any evidence that the executive branch has thoroughly investigated and addressed these failures. The federal government urgently needs to get to the bottom of what went wrong so that in the future, backdoors in other software used by the government are promptly discovered and neutralized.“