Photographer: Andrey Rudakov / Bloomberg
Photographer: Andrey Rudakov / Bloomberg
When FireEye Inc. discovered to have been hacked this month, cybersecurity firm investigators immediately began trying to figure out how the attackers outperformed their defenses.
Not only was FireEye attacked, they found out quickly. The researchers discovered profitability in a product manufactured by one of its software vendors, Texas-based SolarWinds Corp.
“We examined 50,000 lines of source code, which we were able to determine was a back door to SolarWinds,” said Charles Carmakal, senior vice president and technical director of Mandiant, the FireEye incident response arm.
After discovering the back door, FireEye contacted SolarWinds and law enforcement, Carmakal said.
The hackers, suspected of being part of an elite Russian group, took advantage of the vulnerability to deploy malware, which then made its way into SolarWinds customers’ systems when they updated their software. So far, more than 25 entities have been victims of the attack, according to people familiar with the investigations. But SolarWinds says as many as 18,000 entities may have downloaded the malicious Trojan.
The attackers targeted and committed “high-value targets, both governmental and commercial,” Carmakal said.
Hackers who attacked FireEye stole sensitive tools that the company uses to find vulnerabilities in customers’ computer networks. While hacking FireEye was embarrassing for a cybersecurity company, Carmakal argued it could be a crucial mistake for hackers. “If this actor didn’t hit FireEye, there’s a possibility that this campaign could have lasted much, much longer,” Carmakal said. “One of the news is that we have learned a lot about how this threatening actor works and we have shared it with our security agents, the intelligence community and our security partners.” Carmakal said there is no evidence that the stolen hacking tools from FireEye have been used against U.S. government agencies.
“Unfortunately there will be more victims who will have to show up in the coming weeks and months,” he said. While some have attributed the attack to a state-sponsored Russian group known as APT 29 or Cozy Bear, FireEye had yet to see enough evidence to name the actor, he said. A Kremlin official denied that Russia had any involvement.
FireEye’s investigation revealed that the hacking itself was part of a global campaign by a highly sophisticated hacker who was also targeting “government, consulting, technology, telecommunications and extractive entities in North America, Europe, Asia and the Middle East, ”the company said in a blog post Sunday night. “We anticipate that there will be additional casualties in other countries and verticals.”
The Commerce Department confirmed a violation in one of its offices and Reuters reported that the Department of Homeland Security and the Treasury Department were also attacked as part of the alleged Russian piracy.
Carmakal said the hackers took advanced steps to disguise their actions. “Their level of operational security is truly exceptional,” he said, adding that hackers would operate from servers in the same city as an employee who purported to be to evade detection.
Hackers were able to breach U.S. government entities by first attacking SolarWinds’ IT provider. By compromising the software used by government entities and corporations to monitor their network, hackers managed to establish themselves on their network and deepen everything while appearing as legitimate traffic.