FireEye’s Mandia on SolarWinds hack: ‘This was a sniper round’

Written by

The foreign espionage operation that breached several U.S. government agencies through SolarWinds software updates was unique in its methods and stealth, according to FireEye CEO Kevin Mandia, whose company discovered the activity.

“This was not a drive-by shooting on the information highway. This was a sniper round from somebody a mile away from your house,” Mandia said Sunday morning on CBS’s “Face the Nation.” “This was special operations. And it was going to take special operations to detect this breach.”

Mandia estimated that about “only about 50 companies or organizations” were the true targets of the operation, which is suspected to be the work of the Russian intelligence agency known as the SVR. Texas-based SolarWinds reportedly has about 300,000 customers overall in government and industry, and the malware in the spy campaign was pushed out to about 18,000 of those, including U.S. government agencies and major corporations.

In the CBS interview, Mandia did not attribute the operation directly to Russia, but he said it was definitely the work of a nation-state with a long history of participating in the “continuing game in cyberspace.” He said the attack was “very consistent” with an SVR operation, and it was important to make certain any attribution was definitive.

Despite bearing the hallmarks of a familiar hacking group, this particular campaign was “totally unique” and “utterly clandestine” in how it happened, Mandia said.

“And quite frankly, it was a backdoor into the American supply chain that separates this from thousands of other cases that we’ve worked throughout our careers,” Mandia said.

Although many details about the SolarWinds hack are unclear, Mandia and other analysts have settled on a rough timeline: The attackers breached the software update platform for the company’s Orion product in October 2019 and inserted what Mandia called “innocuous” code. In March of this year, the foreign operators returned to add malware — essentially a backdoor that allowed them access into the network of any organization that installed it.

Secretary of State Mike Pompeo has said the attack was “pretty clearly” the work of Russia. The Kremlin continues to deny that Russia was involved.

Mandia, a former Air Force officer, echoed comments by other prominent members of the cybersecurity community in saying that over the long term, there must be clearer expectations for how nation-states behave in cyberspace.

“Folks have to know the rules of the game,” Mandia said. “And the problem in cyber is we’re not doing the work to come up with the doctrine.” It should be clear that for the U.S., there will be a “proportional response” to an incident like this one, he said.

“You saw what happened when somebody used chemical weapons in Syria,” Mandia said. “There was retaliation.”

Other prominent officials, including Microsoft President Brad Smith, have been pushing for international agreements on norms for activities in cyberspace.

The U.S. government, while continuing to assess and fix the problems in its own networks, is continuing to warn private sector companies about the potential impacts of the SolarWinds breach. The National Security Agency last week warned defense contractors that the malware in that incident could be used in concert with another vulnerability in a separate company’s software.

FireEye also has been actively involved in responding to the SolarWinds incident. Last week the cybersecurity company teamed up with Microsoft to create an internet “killswitch” intended to stifle activities associated with the malware.

The company said it discovered the broader campaign while responding to a widely reported breach of its own network.

Watch Kevin Mandia on “Face the Nation,” below: