This article is more than 1 year old

Mimecast bins SolarWinds and compromised servers alike in wake of supply chain hack

Signs up for Cisco, says some encrypted creds were stolen

Email security biz Mimecast has dumped SolarWinds' network monitoring tool in favour of Cisco's Netflow product after falling victim to the infamous December supply chain attack.

In an incident report detailing its experiences of the SolarWinds compromise, Mimecast said it had "decommissioned SolarWinds Orion and replaced it with an alternative NetFlow monitoring system".

On top of that, the email security firm also junked a number of "compromised" servers, while admitting that the potentially Russian attackers had "accessed a subset of email addresses and other contact information", "customer server connection information", and "encrypted and/or hashed and salted credentials" as well as viewing source code repositories and Mimecast-issued certificates.


Hacked by SolarWinds backdoor masterminds, Mimecast now lays off staff after profit surge


"We have no evidence that the threat actor accessed email or archive content held by us on behalf of our customers," insisted the US-headquartered firm. It added that it had previously warned US and UK customers that the malicious people behind the hack had potentially accessed certain server connection credentials: "These credentials establish connections from Mimecast tenants to on-premise and cloud services, which include LDAP, Azure Active Directory, Exchange Web Services, POP3 journaling, and SMTP-authenticated delivery routes."

Having cleaned up the compromise with the aid of Mandiant, FireEye's incident response arm (and the first org to realise what had happened), Mimecast said it had rotated "all impacted certificates and encryption keys, deployed extra monitoring and verified its build systems".

The incident report laid out how much hassle the SolarWinds attackers caused. In addition, the loss of Mimecast as a customer won't have helped SolarWinds' cause. As the first major enterprise to confirm that it has junked SolarWinds in the wake of the supply chain attack, Mimecast could potentially lead the way for others to migrate from the beleaguered infrastructure monitoring 'n' management company.

Among SolarWinds' 18,000 Orion customers were various governments around the world, including the United Kingdom.

Govt impact of Solarwinds? It won't say

The UK government has steadfastly refused to answer The Register’s questions about the extent and impact of the SolarWinds compromise, even though it is public knowledge that some ministries and agencies were (and are) using Orion in their networks.

Palace of Westminster

UK Cabinet Office spokesman tells House of Lords: We're not being complacent about impact of SolarWinds hack


It’s a policy decision not to talk about cyber security: even people charged with formally overseeing have been told to bugger off and shut up whenever they’ve asked similar questions.

The National Cyber Security Centre, which doubles as the goalkeeper for other government departments whenever journalists start asking IT security questions, merely said it was "working closely with FireEye and international partners" – much as it stayed silent on the Hafnium Microsoft Exchange attacks until late last Friday afternoon. Even then it said nothing that the US hadn't already been bellowing from the heavens for a fortnight.

While the British government has publicly stuck its head into the sand, the leaders of the free world have been open and voluble about the SolarWinds compromise's effects. At least the American taxpayer knows where their dollars are being spent – and precisely how effective that spending is, too. ®

More about


Send us news

Other stories you might like