Mandia Alerted NSA on FireEyes SolarWinds Breach

  /     /     /  
Publicated : 23/11/2024   Category : security


Mandia Alerted NSA on FireEyes SolarWinds Breach


National security concerns led former CEO Kevin Mandia to call the NSA when FireEye discovered its breach in late 2020.



MANDIANT CYBER DEFENSE SUMMIT — Washington, DC — It was just before the Thanksgiving holiday in 2020 when Kevin Mandia, then CEO of FIreEye, made a rare and urgent visit to Fort Meade, Md. He shared with the National Security Agency (NSA) stunning details of an aggressive and ultra-sophisticated cyberattack on his company that was eerily familiar to him after more than two decades of investigating attacks from foreign adversaries.
In my gut, very early on I felt that it was a Russian foreign intelligence operation. I kept thinking, its not just us. In my mind I was thinking, were locked onto it right now and I know were not victim one. ... And Im not hearing anything from anyone; what the hell is this? The silence was deafening, he said in an interview here with Dark Reading. I made the call, too, [to the NSA also] because it felt to me that we could potentially have a national security issue [here]. 
Mandia had not publicly revealed his interaction with the NSA that day about the SolarWinds breach until today, after NSA director and Commander of the US Cyber Command Paul Nakasone shared the anecdote during his keynote address here, basically giving Mandia a shoutout for briefing the NSA on the breach. Nakasone explained how the heads-up helped the agency with its investigation into the SolarWinds campaign.
Nakasone said the cooperation between the company and the NSA was a prime example of what the goal of public-private partnerships mean in cybersecurity, to his agency and other key agencies. Almost a year ago, Kevin came to the NSA and said he had strong indicators of a hostile foreign adversary in FireEyes private corporate systems, Nakasone said in his keynote address. The information shared with the intel agency allowed them to corroborate and uncover more details of the overall attack and key technical details of the attack, he said, including the vulnerability at the root of SolarWinds incident.
FireEye, which recently was spun off from Mandiant, found that the attackers had
stolen some of its red-team assessment tools
used in its customer engagements. While FireEye — and Mandia — have mostly shied away from naming the attackers, the US government has confirmed it was Russias SVR intelligence agency. The attackers mostly were after intel on specific FireEye government customers and had gained access to some of the companys servers.
Nakasone said that NSAs hunt team found the novel malware and were able to end the attack campaign. It shortened the time frame during which attackers could have been inside their targets and establishing deeper footholds in their networks, he said. For any intel organization, the goal is not to be caught in the act, so for the SolarWinds attackers to have their operations exposed and stopped in less than one year is not typical, he said. Because Mandia contacted the NSA, the duration of the attack was shortened and deeper breaches were thwarted, Nakasone said.
The SolarWinds incident was the turning point for our nation, Nakasone said, and FireEye and NSAs partnership was critical for thwarting further damage by the attackers.
Mandia said he had recognized a pattern in
the SolarWinds attack
akin to one he had responded to back in the mid- to late 1990s that was believed to be the handiwork of the SVR. The calculation wasnt hard. We knew we needed help, and we did enough business with the US government that we knew we needed to get this information to you, he told Nakasone during their keynote question-and-answer session.
The attackers purposely used US-based IP addresses, which put them out of the watchful eye of the intel agency, Mandia explained. There are times the private sector is gonna see something and the government is not, he said.
Sharing attack and threat intelligence with the US government long has been an awkward interaction for the private sector; many organizations remain wary because often they get no benefit, nor additional intel, for doing so. Theres not a carrot for the company that goes public with its attack, Mandia said. There may even be times when its hard for us to share, adding that his organization would refrain from naming any victim of an attack with the feds. Thats not mine to share, he said of those details.
Lessons From SolarWinds
Mandia admitted it was painful but enlightening finding himself in the victim organization role. Even so, running a company that specializes in incident response — and had the resources to concentrate on the attack IR — gave the company a highly rare edge most victim organizations obviously dont have.
I got to learn firsthand what its like, he said. But its got to be totally frustrating to other victim organizations that dont have hundreds of specialists dedicated to investigating their breaches. It still wasnt easy for FireEye/Mandiant to get to the bottom of what the attackers stole, given their discipline and skills, he said. What I cant stand is that if they target you, theyre gonna win. They will keep going at you until the day they succeed.

Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Mandia Alerted NSA on FireEyes SolarWinds Breach