FireEye's chief executive officer said he's seen evidence suggesting hackers changed code in SolarWinds software as early as October 2019.
FireEye chief Kevin Mandia said this weekend he estimates around 50 organizations downloaded malicious code and were "genuinely impacted" by the hacking campaign believed to have breached multiple federal agencies and Fortune 500 companies.
"This threat actor wasn't a one and done," Mandia said Dec. 20 on CBS' Face The Nation. "I think these are folks that we've responded to in the 90s, in the early 2000s."
Mandia, whose firm is credited with initially discovering the hacking campaign's breach via SolarWinds Orion, an IT management software suite, also said FireEye has evidence to suggest hackers' efforts may have started late last year. FireEye is also the organization that named the malware SUNBURST.
"This campaign specifically has the earliest evidence of being designed in October of 2019 when code was changed in the SolarWinds Orion platform, but it was innocuous code. It was not a backdoor," Mandia said. Both federal agencies and private sector companies investigating the breach have said malware was sent through SolarWinds' patches earlier this year.
Treasury Secretary Steven Mnuchin confirmed on CNBC this morning that his agency was breached as a result of the SolarWinds hack, which was widely reported last week. He also said he does not believe any classified systems were accessed.
President Donald Trump, in his first statement acknowledging the hack since it was initially reported more than week ago, attempted to downplay the significance of the breach in a tweet on Saturday.
"The Cyber Hack is far greater in the Fake News Media than in actuality. I have been fully briefed and everything is well under control," he tweeted. "Russia, Russia, Russia is the priority chant when anything happens because Lamestream is, for mostly financial reasons, petrified of discussing the possibility that it may be China (it may!)."
The tweet also undercut a statement from Secretary of State Mike Pompeo who publicly accused Russia of orchestrating the attack. Attorney General Bill Barr today said during a press conference that he agreed with Pompeo's comments.
SolarWinds has previously said it believes about 18,000 organizations using its Orion software suite downloaded malicious code.
Microsoft President Brad Smith in a Dec. 17 post said his company has found the hacking campaign installed malware at a large scale that allowed hackers to then "follow up and pick and choose from" targets they wanted to focus their efforts.
"While investigations (and the attacks themselves) continue, Microsoft has identified and has been working this week to notify more than 40 customers that the attackers targeted more precisely and compromised through additional and sophisticated measures," according to his post.
In a separate post, Microsoft said its investigation led it to discover a second actor.
"In an interesting turn of events, the investigation of the whole SolarWinds compromise led to the discovery of an additional malware that also affects the SolarWinds Orion product but has been determined to be likely unrelated to this compromise and used by a different threat actor," the company wrote.
The Cybersecurity and Infrastructure Security Agency on Friday updated its emergency guidance to federal agencies reflecting which versions of SolarWinds Orion contain a backdoor vulnerability believed to be used by hackers to deliver SUNBURST, malware capable of accessing broad authorities on a network and disguising its activities as legitimate SolarWinds processes.
The government has not yet formally attributed the campaign to a specific country or group, but some government officials such as Pompeo have begun publicly stating they believe Russia is the culprit. When asked about attribution, Mandia acknowledged Russia is likely behind it and said the attack is "very consistent" with the SVR, a Russian intelligence agency.