Mimecast confirms SolarWinds attackers breached security certificate, ‘potentially exfiltrated’ credentials

Mimecast offers an attractive target for spies looking to burrow into high-value organizations
A view of Mimecast's North American offices. The email security provider said a "sophisticated threat actor" had breached its software certificate (Mimecast/Wikimedia Commons).

Email security firm Mimecast on Tuesday confirmed that the hackers behind the SolarWinds espionage campaign compromised a software certificate the firm uses to secure connections to Microsoft cloud services.

The revelation underscores how deeply embedded the suspected Russian hackers have been in major technology companies as part of a campaign that has also breached multiple U.S. federal agencies.

The hackers may have exfiltrated “certain encrypted service account credentials created by customers hosted” in the U.S. and the U.K., the new Mimecast statement reveals. The company said it wasn’t aware of the hackers decrypting or abusing any of the stolen credentials. But it still told its U.S. and U.K.-hosted customers to reset their credentials as a precaution.

Mimecast, which says it has 39,000 customers around the world, offers an attractive target for spies looking to burrow into high-value organizations. A stolen software certificate of this type could allow an intruder to lurk undetected and spy on Mimecast clients for months. The London-based firm has said the attackers apparently targeted “a low single-digit number” of customers.


“We have taken actions to isolate and remediate the identified threat, which we believe to be effective,” Mimecast said Tuesday.

Mimecast had disclosed a breach of its software certificate on Jan. 12, but did not name the culprit then.

Tony Cole, chief technology officer of the security firm Attivo Networks, said the Mimecast breach “could easily lead to successful attacks on Active Directory,” the Microsoft software that manages a computer network. “We must focus more on protecting Active Directory because it is a lot like the GPS of a Microsoft-centric enterprise.”

The broader hacking campaign has caused an uproar in Washington, and promises to be a big early test for the Biden administration’s cybersecurity policies. President Joe Biden has vowed a response to the cyber activity, which U.S. officials have said is “likely Russian in origin.” Moscow has denied involvement.

Biden raised the SolarWinds hacking campaign in a call Tuesday with Russian President Vladimir Putin, according to a White House statement. Further details were not immediately available.


Mimecast is one of many big tech firms to be implicated in the hacking campaign, which has also exploited bugged software made by SolarWinds, a Texas-based federal contractor. The attackers have viewed Microsoft’s source code and stolen the red-team tools that security firm FireEye uses to test clients’ defenses.

Cybersecurity firms continue to investigate the effect of the hacking campaign on their networks. Maryland-based Fidelis Cybersecurity said Tuesday that it had installed the trojanized SolarWinds software on one of its machines in May 2020, but that there was no indication the incident had impacted the firm’s networks.

SolarWinds’ software is also widely used in critical infrastructure sectors such as oil and gas and electricity.

Anti-virus firm Kaspersky said Tuesday that 27 of its customers in industrial sectors such as mining, energy and manufacturing had installed the malicious SolarWinds software. The victims were located around the world, from North America to the Asia Pacific.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts