Kevin Mandia, CEO of the cybersecurity firm FireEye, testifies before the Senate Intelligence Committee in 2017. Mandia's company was the first to sound the alarm about the massive hack of government agencies and private companies on Dec. 8. Susan Walsh/AP hide caption
Kevin Mandia, CEO of the cybersecurity firm FireEye, testifies before the Senate Intelligence Committee in 2017. Mandia's company was the first to sound the alarm about the massive hack of government agencies and private companies on Dec. 8.
The first word that hackers had carried out a highly sophisticated intrusion into U.S. computer networks came on Dec. 8, when the cybersecurity firm FireEye announced it had been breached and some of its most valuable tools had been stolen.
"We escalated very quickly from the moment I got the first briefing that, 'Hey, we have a security incident of some magnitude,' " FireEye CEO Kevin Mandia told All Things Considered co-host Mary Louise Kelly. "My gut was telling me it was something we needed to put people on right away."
Mandia was right. Within days, the scope of the hack began to emerge.
Multiple U.S. agencies were successfully targeted, including the departments of State, Treasury, Commerce, Energy and Homeland Security as well as the National Institutes of Health.
The hackers attached their malware to a software update from Austin, Texas-based company SolarWinds, which makes software used by many federal agencies and thousands of private companies to monitor their computer networks.
The SVR, Russia's foreign intelligence agency, is considered the most likely culprit, according to Secretary of State Mike Pompeo and some members of Congress who have been briefed by the U.S. intelligence community. But the Trump administration has not formally attributed blame.
"What I've seen is 2020 has been about the hardest year, period, to be an information security officer," Mandia said. "It's time this nation comes up with some doctrine on what we expect nations' rules of engagement to be, and what will our policy, or proportional response, be to folks who violate that doctrine. Because right now there's absolutely an escalation in cyberspace."
Here are excerpts from Mandia's interview:
What was that moment like when you're figuring out it's your cybersecurity company that has been hacked?
If you wrote down the reasons why another nation might want to compromise FireEye, you can come up with some reasons. What we do is we track attackers and quite frankly, we out them. We try to figure out here's their fingerprints, let's share those fingerprints with everybody so they can't get away with what they're doing.
[Early on] there was enough operational security by the attacker that I knew it was professional. This wasn't the first rodeo for these attackers. In fact, they followed a tradecraft that the more I learned, the more this was a unit that's been operational for a decade or more. They knew what they were doing, they had novel techniques. So we knew we would have to do the full-court press on our investigation. And we did.
Who is behind this attack?
For me, it's definitely a nation. In regards to the supply chain compromise at SolarWinds, they did an innocuous addition of code in October 2019 inside the supply chain, saw that it was provisioned and deployed so they knew that their techniques on offense to hack the supply chain were efficient and effective. They went live with actual malicious code inside of the SolarWinds in March through June of this year.
So this is somebody who is patient, professional, and what made this interesting to me is I felt they were more interested in staying surreptitious and clandestine than they were about accomplishing their mission.
What nations have this kind of capability?
Not a lot. It's very consistent with what Russia could do. There might be a group out of China that might be able to do it. And that's probably it.
Is there any signature to this attack that would be consistent with other hacks you've seen?
There's probably about six to eight technical details that made me realize this is a nation, and most likely a foreign intelligence service doing this breach. One of them is this: They used an infrastructure to attack FireEye. The IP addresses or systems they use to attack FireEye were not used in any other incident we're aware of.
In other words, the attackers set up an infrastructure to attack FireEye that was wholly unique to attacking FireEye. That takes a lot of maintenance. That takes a lot of coordination. That's an operation not just a hack. Most threat groups, when they attack, will use shared infrastructure to attack many companies. This group does not do that. That in and of itself made me realize it was an operation.
What should we take from the fact that it was FireEye, a private cybersecurity firm, that alerted the U.S. government and not the other way around?
We're all in this together, period. And there's different visibility at different places. When the attacks were happening against FireEye, all the IP addresses used to attack us [were] all inside the United States. And I'm pretty aware that the [National Security Agency] does not do collections within the United States. So we were the ones, kind of on our own, to be able to see this and detect it.
So you're saying you were able to see things that the NSA, despite all of its vast resources, have firewalls against being able to see, domestically?
Well, I wouldn't call it firewalls necessarily. It's just legal remit. You know, when you look at what these attackers do, they're attacking U.S. companies from the United States. That doesn't necessarily mean the attackers are sitting in the United States but the infrastructure they're setting up to attack companies like FireEye are all in the United States. So the malicious intent may not be visible outside the United States and may only be visible inside.
We have thousands and thousands of computers that we inspected for evidence that they were compromised, and we couldn't get anything earlier in the time frame than a SolarWinds system. We sat there looking at the SolarWinds system saying, "We can't find anything bad on it right now, but it's our earliest evidence of compromise. Something's wrong."
So we then had to turn it over to our reverse engineers. This is something most companies can't do. We went through 14 gig of information, over 18,000 files in the update that we got from SolarWinds, over 4,000 executable files. We decompiled them into millions of lines. And then with real malware analysts, we found the needle in the haystack.
Do we know whether the NSA itself was hacked?
I don't have any idea.
So what now? There's a statement from the FBI and the director of national intelligence and the cybersecurity arm of Homeland Security that says this breach is ongoing.
I think as folks are being notified or learning that they're compromised, they're going to have a lot of work to do. All these organizations are both going to have to investigate what happened and figure out the scale and scope of it, and then they're going to have to eradicate the attackers from their network if they're still active.
Even if they're not active, you're going to flex your muscle a little bit to do a lot of remediation. That's going to take months.
But one thing that's definitely clear to me: The attackers have no idea what is the envelope of behavior, what are the rules of engagement.
We're a nation losing billions of dollars to ransomware. And we are a nation that just had potentially one of the most successful cyberespionage campaigns ever done on it.
Read the original post:
- National Security Agency - Wikipedia - August 5th, 2022
- Defence analyst Pravin Sawhneys new book begins with an imagined cyberattack on India by China - Scroll.in - August 5th, 2022
- NSA, Cyber Command tap new election security leaders - The Record by Recorded Future - May 12th, 2022
- This TikTok User Who Finds the Games Playing in TV Shows Needs to Be Working for the NSA - Barstool Sports - May 12th, 2022
- Graduation Week 2022: Cybersecurity grad prepares to protect the world - Jagwire Augusta - May 12th, 2022
- Amazon Is Busting Unions. Biden Is Giving Them Huge Federal Contracts Anyway. - Jacobin magazine - May 12th, 2022
- Modi@20: Balakot blew away the myth of Pakistans nuclear blackmail, writes NSA Ajit Doval - The Tribune India - May 12th, 2022
- Jesus, endless war and the irresistible rise of American fascism - Salon - May 12th, 2022
- Meet Three Bay Area Artists Working to Amplify the Voices of People Who Stutter - KQED - May 12th, 2022
- Nation-state Cyber Attackers aiming at the US Defense Industrial Base - Security Boulevard - May 12th, 2022
- NSA: We 'don't know when or even if' a quantum computer will ever be able to break today's public-key encryption - The Register - September 5th, 2021
- Opportune moment for indigenous development of 5G NSA & SA by C-DOT: Prakash - United News of India - September 5th, 2021
- A Softening Economy Will Be Buffeted By Stimulus Withdrawal And Delta-Variant Surge - Forbes - September 5th, 2021
- Actions of IT giants pave the way for states to monopolize data Snowden - TASS - September 5th, 2021
- Microsoft's Azure Government Top Secret Cloud: All you need to know - TechHQ - September 5th, 2021
- The Scandalous History of the Last Rotor Cipher Machine - IEEE Spectrum - September 5th, 2021
- The NSA Does Not Deny Reading Tucker Carlsons Emails - July 12th, 2021
- Home, but Not Free: NSA Whistleblower Reality Winner Adjusts to Her Release From Prison - The Intercept - July 12th, 2021
- Congress newest subcommittee is focusing on cyber troops and JEDI - Federal News Network - February 11th, 2021
- End the war on whistleblowers - The Week - February 11th, 2021
- NSA Warned Russia to Stay Out Of 2020 Election And Got SolarWinds Hack Instead - NPR - February 1st, 2021
- Biden administration will build on the Quad: NSA Jake Sullivan - The Hindu - February 1st, 2021
- William P. Crowell, Former Deputy Director of the National Security Agency, Joins LookingGlass Advisory Board - HSToday - February 1st, 2021
- SolarWinds Is Not the 'Hack of the Century.' Its Blowback for the NSA's Longtime Dominance of Cyberspace - Common Dreams - February 1st, 2021
- NSA fumes over the violation of coronavirus safety protocols - GhanaWeb - February 1st, 2021
- A Top Biden Cybersecurity Aide Donated Over $500000 to AIPAC as an NSA Official Mother Jones - Mother Jones - February 1st, 2021
- What to expect from NASS and NASED conferences - Politico - February 1st, 2021
- Companies Pay Criminal Penalties And Compensation For Undermining Competition - JD Supra - February 1st, 2021
- Split Up NSA and CYBERCOM - Defense One - December 28th, 2020
- Edward Snowden Pardon and the SolarWinds Hack | - City Journal - December 28th, 2020
- Edward Snowden and wife share photos of newborn son amid push for Trump to pardon NSA leaker - Washington Times - December 28th, 2020
- NSA Year in Review: Election Security, Cybersecurity, and More - HSToday - December 28th, 2020
- No, the United States Does Not Spend Too Much on Cyber Offense - Council on Foreign Relations - December 28th, 2020
- The US has suffered a massive cyberbreach. It's hard to overstate how bad it is - The Guardian - December 28th, 2020
- Satoshi Nakamoto from NSA, AntiChrist and Other Bitcoin Conspiracy Theories - Cryptonews - December 28th, 2020
- Snowden and Assange Deserve Pardons. So Do the Whistleblowers Trump Imprisoned. - The Intercept - December 28th, 2020
- Talks with China will not help says USA NSA on situation on Ladakh - Oneindia - October 10th, 2020
- How to choose the right multifactor authentication program - Federal News Network - October 10th, 2020
- UofL to launch health care cybersecurity curriculum with $6.3 million from National Security Agency, pilot focused on veterans and first responders -... - October 10th, 2020
- National Storage Affiliates Trust Announces Date of its Third Quarter 2020 Earnings Release and Conference Call - Business Wire - October 10th, 2020
- NSA announces new Autumn webinar series 'Feeding the flock and getting it right' - The Scottish Farmer - October 10th, 2020
- How the NSA is disrupting foreign hackers targeting COVID-19 vaccine research - TechCrunch - September 18th, 2020
- Crime Prevention and Community Outreach, Common Goals for NSA and NYPD Commissioner - Abasto, Food and Beverage Industry News - September 18th, 2020
- Deputy NSA gets one year extension - The Hindu - September 18th, 2020
- Exceeding All Expectations: A Journey of Adversity, Triumph and Eternal Optimism - Worth - September 18th, 2020
- Huge threat to national security as hackers attack NIC computers, steal sensitive information - DNA India - September 18th, 2020
- Police: 2 more held in Agra boys kidnap-murder, NSA to be invoked - The Indian Express - September 18th, 2020
- NSA to be invoked against miscreants involved in killing Malihabad farmer: Lucknow DM - Outlook India - September 18th, 2020
- Did the NSA spy on Congress? RT The World According to Jesse - RT - September 5th, 2020
- Nebraska native, 101, defied convention: She served in South Pacific, with MacArthur and at NSA - Omaha World-Herald - September 5th, 2020
- NSA Ajit Doval reviews situation at India-China border - The New Indian Express - September 5th, 2020
- NSA Webinar Part 3: Skills Development and the future of learning during and post the Covid-19 pandemic - Mail and Guardian - September 5th, 2020
- ICE Robotics Expands Offering With NSA Partnership - CleanLink - September 4th, 2020
- National Security Agency | History, Role, & Surveillance ... - August 16th, 2020
- The NSA and FBI Expose Fancy Bear's Sneaky Hacking Tool - WIRED - August 16th, 2020
- NSA and FBI Expose Russian Previously Undisclosed Malware Drovorub in Cybersecurity Advisory FBI - Federal Bureau of Investigation - August 16th, 2020
- Shah Faesal reached out to NSA before he quit party; open to IAS return - Hindustan Times - August 16th, 2020
- How has the pandemic impacted work at the NSA? - C4ISRNet - August 10th, 2020
- Election interference efforts have shifted, NSA and Cyber Command election threats leads say - CyberScoop - August 10th, 2020
- Did Hedge Funds Make The Right Call On National Storage Affiliates Trust (NSA)? - Yahoo Finance - August 10th, 2020
- National Speakers Association Inducts Mary Kelly, Ph. D. into the Speaker Hall of Fame - The Grand Junction Daily Sentinel - August 10th, 2020
- For 2020 Election, Threat is Bigger than Russia > US DEPARTMENT OF DEFENSE - Department of Defense - August 10th, 2020
- The White House reportedly quashed part of an intelligence report that showed Russia is helping the Trump campaign - MSN Money - August 10th, 2020
- GFA Express Appreciation To NSA | General Sports - Peace FM Online - August 10th, 2020
- NSA O'Brien Says US Has 'Sanctioned The Heck Out Of Russia' - Newsmax - August 10th, 2020
- DHS Warns of a Persistent Cyber Threat Targeting Critical Infrastructure in the U.S. - CPO Magazine - August 10th, 2020
- Money Explodes; Gold Glitters; The Recovery Slows - Forbes - August 10th, 2020
- NSA Reports on New Cyber Vulnerability in Computers - ExecutiveGov - August 10th, 2020
- The Trump administration reportedly quashed an intelligence report that showed Russia is helping him win the 2020 election - MSN Money - August 10th, 2020
- There Will Be Blowback - Forbes - August 10th, 2020
- What and how are you thinking? Anything is possible - Martins Ferry Times Leader - August 10th, 2020
- TikTok and National Security: The Need for a Comprehensive U.S. Privacy Law - Security Boulevard - August 10th, 2020
- Buhari to overhaul the nation's security apparatus, says NSA - TheCable - August 10th, 2020
- Trump quashed report section showing Russia is helping him win 2020 - Business Insider - Business Insider - August 9th, 2020
- NSA Sheep 2020 to be a virtual sheep show - South West Farmer - August 8th, 2020
- All you need to hijack a Mac is an old Office document and a .zip file - TechRadar - August 8th, 2020
- Silicon Valley's Vast Data Collection Should Worry You More Than TikTok - Jacobin magazine - August 8th, 2020
- T-Mobile Is The First Carrier Globally To Launch Nationwide Standalone (SA) 5G - Forbes - August 7th, 2020
- The Room Where It Happened: Former US NSA exposes the frailties of the Trump administration - The Financial Express - August 4th, 2020
- NSA Sheep 2020 to go virtual over two days - FarmingUK - July 31st, 2020