Cyber exec: 50 orgs 'genuinely impacted' by SolarWinds hack

By Lidiia Royalty-free stock vector ID: 1110770507 

FireEye chief Kevin Mandia said this weekend he estimates around 50 organizations downloaded malicious code and were "genuinely impacted" by the hacking campaign believed to have breached multiple federal agencies and Fortune 500 companies.

"This threat actor wasn't a one and done," Mandia said Dec. 20 on CBS' Face The Nation. "I think these are folks that we've responded to in the 90s, in the early 2000s."

Mandia, whose firm is credited with initially discovering the hacking campaign's breach via SolarWinds Orion, an IT management software suite, also said FireEye has evidence to suggest hackers' efforts may have started late last year. FireEye is also the organization that named the malware SUNBURST.

"This campaign specifically has the earliest evidence of being designed in October of 2019 when code was changed in the SolarWinds Orion platform, but it was innocuous code. It was not a backdoor," Mandia said. Both federal agencies and private sector companies investigating the breach have said malware was sent through SolarWinds' patches earlier this year.

Treasury Secretary Steven Mnuchin confirmed on CNBC this morning that his agency was breached as a result of the SolarWinds hack, which was widely reported last week. He also said he does not believe any classified systems were accessed.

President Donald Trump, in his first statement acknowledging the hack since it was initially reported more than week ago, attempted to downplay the significance of the breach in a tweet on Saturday.

"The Cyber Hack is far greater in the Fake News Media than in actuality. I have been fully briefed and everything is well under control," he tweeted. "Russia, Russia, Russia is the priority chant when anything happens because Lamestream is, for mostly financial reasons, petrified of discussing the possibility that it may be China (it may!)."

The tweet also undercut a statement from Secretary of State Mike Pompeo who publicly accused Russia of orchestrating the attack. Attorney General Bill Barr today said during a press conference that he agreed with Pompeo's comments.

SolarWinds has previously said it believes about 18,000 organizations using its Orion software suite downloaded malicious code.

Microsoft President Brad Smith in a Dec. 17 post said his company has found the hacking campaign installed malware at a large scale that allowed hackers to then "follow up and pick and choose from" targets they wanted to focus their efforts.

"While investigations (and the attacks themselves) continue, Microsoft has identified and has been working this week to notify more than 40 customers that the attackers targeted more precisely and compromised through additional and sophisticated measures," according to his post.

In a separate post, Microsoft said its investigation led it to discover a second actor.

"In an interesting turn of events, the investigation of the whole SolarWinds compromise led to the discovery of an additional malware that also affects the SolarWinds Orion product but has been determined to be likely unrelated to this compromise and used by a different threat actor," the company wrote.

The Cybersecurity and Infrastructure Security Agency on Friday updated its emergency guidance to federal agencies reflecting which versions of SolarWinds Orion contain a backdoor vulnerability believed to be used by hackers to deliver SUNBURST, malware capable of accessing broad authorities on a network and disguising its activities as legitimate SolarWinds processes.

The government has not yet formally attributed the campaign to a specific country or group, but some government officials such as Pompeo have begun publicly stating they believe Russia is the culprit. When asked about attribution, Mandia acknowledged Russia is likely behind it and said the attack is "very consistent" with the SVR, a Russian intelligence agency.

About the Author

Justin Katz covers cybersecurity for FCW. Previously he covered the Navy and Marine Corps for Inside Defense, focusing on weapons, vehicle acquisition and congressional oversight of the Pentagon. Prior to reporting for Inside Defense, Katz covered community news in the Baltimore and Washington D.C. areas. Connect with him on Twitter at @JustinSKatz.


  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected