50 orgs 'genuinely impacted' by SolarWinds hack, FireEye chief says

Approximately 50 organizations downloaded malicious code via SolarWinds software and were "genuinely impacted" by the sophisticated hacking campaign, according to FireEye CEO Kevin Mandia.

"This threat actor wasn't a one and done," Mandia said Dec. 20 on CBS' Face The Nation. "I think these are folks that we've responded to in the ‘90s, in the early 2000s."

Mandia, whose firm is credited with initially discovering the hacking campaign's breach via SolarWinds Orion IT management software suite, said FireEye has evidence to suggest the hackers may have started infiltrating multiple federal agencies and Fortune 500 companies late last year. FireEye is also the organization that named the malware SUNBURST.

"This campaign specifically has the earliest evidence of being designed in October of 2019 when code was changed in the SolarWinds Orion platform, but it was innocuous code. It was not a backdoor," Mandia said. Both federal agencies and private-sector companies investigating the breach have said malware was sent through SolarWinds' patches earlier this year.

SolarWinds has previously said it believes about 18,000 organizations using its Orion software suite downloaded malicious code.

Microsoft President Brad Smith in a Dec. 17 post said his company has found the hacking campaign installed malware at a large scale that allowed hackers to then "follow up and pick and choose from" targets where they wanted to focus their efforts.

"While investigations (and the attacks themselves) continue, Microsoft has identified and has been working this week to notify more than 40 customers that the attackers targeted more precisely and compromised through additional and sophisticated measures," according to his post.

In a separate post, Microsoft said its investigation led it to discover a second actor.

"In an interesting turn of events, the investigation of the whole SolarWinds compromise led to the discovery of an additional malware that also affects the SolarWinds Orion product but has been determined to be likely unrelated to this compromise and used by a different threat actor," the company wrote.

On Dec. 18 the Cybersecurity and Infrastructure Security Agency supplemented its emergency guidance to federal agencies reflecting which versions of SolarWinds Orion contain a backdoor vulnerability believed to be used by hackers to deliver SUNBURST, malware capable of accessing broad authorities on a network and disguising its activities as legitimate SolarWinds processes.

The government has not yet formally attributed the campaign to a specific country or group, but some government officials such as Secretary of State Mike Pompeo have begun publicly stating they believe Russia is the culprit. When asked about attribution, Mandia acknowledged Russia is likely behind it and said the attack is "very consistent" with the SVR, a Russian intelligence agency.

This article was first posted to FCW, a sibling site to Defense Systems.