The Justice Department on Wednesday joined a growing list of confirmed victims in the public and private sector of a suspected Russian espionage campaign that used tainted software made by SolarWinds.
The attackers were able to burrow their way into the Microsoft Office 365 email accounts of Justice Department employees and potentially had access to “around 3%” of such email accounts in the department, Marc Raimondi, a department spokesman, said in a statement. The Justice Department has more than 115,000 employees, according to a fiscal 2020 budget request, but not all employees use Office 365, Raimondi told CyberScoop. He declined to say how many employees do use the software.
The departments of Commerce, Energy and Treasury have also confirmed breaches. “Fewer than 10” U.S. agencies have been victimized by the targeted espionage operation, according to investigators.
The Justice Department statement comes a day after U.S. investigators for the first time formally implicated Russia in the hack, saying it was “likely Russian in origin.” Moscow has denied involvement in what is shaping up to be the first big cybersecurity test of Joe Biden’s presidency.
Justice Department officials did not learn of the malicious activity on their networks until Dec. 24, Raimondi said, more than 10 days after the Commerce Department became the first federal agency to confirm it had been breached. That underscores the ongoing nature of the investigation into the apparent espionage campaign, and the work left to be done to remediate it.
“After learning of the malicious activity, the [department’s Office of the Chief Information Officer] eliminated the identified method by which the actor was accessing the O365 email environment,” Raimondi said. There is no evidence that classified systems were affected, he said.
Raimondi said the breach constituted “a major incident” under the Federal Information Security Modernization Act, a designation that requires agencies to notify Congress.