Cyber Incident Victim: Malwarebytes
Date:
Jan 2021
Location:
United States of America
Summary
Malwarebytes, a cybersecurity company, was breached by the same nation-state-sponsored threat actors responsible for the SolarWinds supply chain compromise. The attackers infiltrated the security firm using a different intrusion vector than the one employed against SolarWinds, demonstrating their ability to leverage multiple methods beyond the initial software distribution system compromise. This incident confirmed the broader scope of the campaign, which had previously targeted numerous U.S. government agencies and private organizations. The breach underscored the advanced capabilities of the threat group and their persistent focus on high-value entities across both public and private sectors.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On January 23, 2021, cybersecurity firm Malwarebytes disclosed a breach by the same nation-state-sponsored threat actors responsible for the SolarWinds supply chain attack. The attackers, known for compromising SolarWinds’ software distribution infrastructure to deliver malicious updates to customers, employed a different intrusion vector against Malwarebytes. Malwarebytes confirmed it did not use SolarWinds software, ruling out that initial infection pathway. The company identified unauthorized access to a limited subset of internal company emails through attacker abuse of privileged access tokens within Microsoft Office 365 and Azure environments. Malwarebytes detected the intrusion through its internal security monitoring, which flagged anomalous activity associated with the threat group’s known tactics. The breach was part of the broader campaign targeting multiple government agencies and private enterprises, though Malwarebytes emphasized its endpoint protection products remained unaffected and continued to block malicious payloads.
The investigation revealed no evidence of compromise to Malwarebytes’ core production environments, customer data, or proprietary source code. The primary impact was restricted to internal email communications accessed via the compromised Office 365 tenant. Malwarebytes initiated containment measures, including revoking adversarial access credentials, hardening identity and access management controls, and conducting forensic audits across cloud and on-premises systems. The company collaborated with Microsoft’s security team and law enforcement agencies to investigate the attack’s scope and origins. Public disclosure emphasized transparency, with Malwarebytes affirming its products detected and mitigated follow-on attacker activities despite the initial breach. The incident underscored the threat actors’ adaptability in exploiting cloud service vulnerabilities beyond the SolarWinds software supply chain, highlighting risks to organizations reliant on SaaS platforms. Malwarebytes’ response focused on reinforcing cloud infrastructure security while maintaining service continuity for its user base.