The state-backed group implicated in the SolarWinds Solorigate/Sunburst attack also hit Malwarebytes during its December 2020 cyber crime spree, accessing its systems by abusing privileged access to the firm’s Microsoft Office and Azure environments.
The group, which has been dubbed UNC2452, also turned over FireEye – the initial incident that led investigators to the SolarWinds compromise – and a number of other tech firms, however, its compromise of Malwarebytes was not carried out via SolarWinds, as the two firms do not have a relationship.
In a message disclosing the incident, Malwarebytes CEO Marcin Kleczynski said that there was no doubt the company was attacked by the same gang.
“We can confirm the existence of another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments,” he wrote.
“After an extensive investigation, we determined the attacker only gained access to a limited subset of internal company emails. We found no evidence of unauthorised access or compromise in any of our internal on-premises and production environments.”
Malwarebytes first learned of suspicious activity, consistent with the tactics, techniques and procedures (TTPs) of UNC2452, from a third-party application within its Microsoft Office 365 tenant