In yet another dastardly twist in the ongoing SolarWinds debacle, the U.S. Department of Justice announced Wednesday that hackers had accessed the inboxes of over 3,000 DOJ employee Microsoft email accounts.
The news comes less than a day after the federal government formally blamed Russia for the giant cyberattack, alleging a hacker group attached to the Kremlin was “likely” conducting an “intelligence gathering” mission when it snaked its way into a bevy of important federal agencies via third-party software updates.
While authorities said it doesn’t appear that classified information was viewed during the course of the DOJ breach, the news is still another startling example of just how massive this hack is—and how much is still unknown about its true extent. The news broke soon after o a discovery made by security researchers and reported by Forbes that the servers of some 1,500 SolarWinds customers are still exposed to the internet, meaning they are vulnerable to hacking.
“At this point, the number of potentially accessed [Microsoft Office] mailboxes appears limited to around 3-percent and we have no indication that any classified systems were impacted,” DOJ spokesperson Marc Raimondi said in a statement. The DOJ has some 115,000 employees, meaning approximately 3,500 email accounts were breached, Politico calculated.
The hack was discovered on Christmas Eve, when the agency’s Office of the Chief Information Officer (OCIO) “learned of previously unknown malicious activity linked to the global SolarWinds incident that has affected multiple federal agencies and technology contractors, among others. After discovering the intrusions into its Office 365 accounts, the OCIO subsequently “eliminated the identified method by which” the hackers had gained entry, according to officials.
Raimondi also noted this breach counts as a “major incident” under the Federal Information Security Modernization Act (FISMA). Under FISMA, federal agencies are required to notify Congress and the public about incidents that qualify as “major” (such incidents are defined as ones “likely to result in demonstrable harm to the national security interests, foreign relations or … economy of the United States or the public confidence, civil liberties or public health,” which SolarWinds surely qualifies as).
Per FISMA’s reporting requirements, that means there should be updates about this particular incident available in the somewhat near future, as the affected agency must “also supplement its initial notification to Congress with pertinent updates within a reasonable period of time after additional information relating to the incident is discovered,” as the law requires. These updates should include further information on the “threats and threat actors” involved and information on the status of the agency’s security compliance prior to the hack—all of which is designed to show how ready (or not ready) the government was for such an attack.