Justice Department confirms SolarWinds hackers accessed Department emails

The Justice Department joins a growing list of formally confirmed victims in the espionage campaign.
The Robert F. Kennedy Department of Justice Building in Washington, D.C., headquarters of the United States Department of Justice.

The Justice Department on Wednesday joined a growing list of confirmed victims in the public and private sector of a suspected Russian espionage campaign that used tainted software made by SolarWinds.

The attackers were able to burrow their way into the Microsoft Office 365 email accounts of Justice Department employees and potentially had access to “around 3%” of such email accounts in the department, Marc Raimondi, a department spokesman, said in a statement. The Justice Department has more than 115,000 employees, according to a fiscal 2020 budget request, but not all employees use Office 365, Raimondi told CyberScoop. He declined to say how many employees do use the software.

The departments of Commerce, Energy and Treasury have also confirmed breaches. “Fewer than 10” U.S. agencies have been victimized by the targeted espionage operation, according to investigators.

The Justice Department statement comes a day after U.S. investigators for the first time formally implicated Russia in the hack, saying it was “likely Russian in origin.” Moscow has denied involvement in what is shaping up to be the first big cybersecurity test of Joe Biden’s presidency.


Justice Department officials did not learn of the malicious activity on their networks until Dec. 24, Raimondi said, more than 10 days after the Commerce Department became the first federal agency to confirm it had been breached. That underscores the ongoing nature of the investigation into the apparent espionage campaign, and the work left to be done to remediate it.

“After learning of the malicious activity, the [department’s Office of the Chief Information Officer] eliminated the identified method by which the actor was accessing the O365 email environment,” Raimondi said. There is no evidence that classified systems were affected, he said.

Raimondi said the breach constituted “a major incident” under the Federal Information Security Modernization Act, a designation that requires agencies to notify Congress.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts