informa
News

Mandia Alerted NSA on FireEye's SolarWinds Breach

"National security" concerns led former CEO Kevin Mandia to call the NSA when FireEye discovered its breach in late 2020.

MANDIANT CYBER DEFENSE SUMMIT — Washington, DC — It was just before the Thanksgiving holiday in 2020 when Kevin Mandia, then CEO of FIreEye, made a rare and urgent visit to Fort Meade, Md. He shared with the National Security Agency (NSA) stunning details of an aggressive and ultra-sophisticated cyberattack on his company that was eerily familiar to him after more than two decades of investigating attacks from foreign adversaries.

"In my gut, very early on I felt that it was a Russian foreign intelligence operation. I kept thinking, it's not just us. In my mind I was thinking, we're locked onto it right now and I know we're not victim one. ... And I'm not hearing anything from anyone; what the hell is this? The silence was deafening," he said in an interview here with Dark Reading. "I made the call, too, [to the NSA also] because it felt to me that we could potentially have a national security issue [here]." 

Mandia had not publicly revealed his interaction with the NSA that day about the SolarWinds breach until today, after NSA director and Commander of the US Cyber Command Paul Nakasone shared the anecdote during his keynote address here, basically giving Mandia a shoutout for briefing the NSA on the breach. Nakasone explained how the heads-up helped the agency with its investigation into the SolarWinds campaign.

Nakasone said the cooperation between the company and the NSA was a prime example of what the goal of public-private partnerships mean in cybersecurity, to his agency and other key agencies. "Almost a year ago, Kevin came to the NSA and said he had strong indicators of a hostile foreign adversary in FireEye's private corporate systems," Nakasone said in his keynote address. The information shared with the intel agency allowed them to corroborate and uncover more details of the overall attack and key technical details of the attack, he said, including "the vulnerability at the root of SolarWinds incident."

FireEye, which recently was spun off from Mandiant, found that the attackers had stolen some of its red-team assessment tools used in its customer engagements. While FireEye — and Mandia — have mostly shied away from naming the attackers, the US government has confirmed it was Russia's SVR intelligence agency. The attackers mostly were after intel on specific FireEye government customers and had gained access to some of the company's servers.

Nakasone said that NSA's "hunt team" found the novel malware and were able to "end" the attack campaign. It shortened the time frame during which attackers could have been inside their targets and establishing deeper footholds in their networks, he said. "For any intel organization, the goal is not to be caught in the act," so for the SolarWinds attackers to have their operations exposed and stopped in less than one year is not typical, he said. Because Mandia contacted the NSA, the duration of the attack was shortened and deeper breaches were thwarted, Nakasone said.

"The SolarWinds incident was the turning point for our nation," Nakasone said, and FireEye and NSA's "partnership" was critical for thwarting further damage by the attackers.

Mandia said he had recognized a pattern in the SolarWinds attack akin to one he had responded to back in the mid- to late 1990s that was believed to be the handiwork of the SVR. "The calculation wasn't hard. We knew we needed help, and we did enough business with the US government that we knew we needed to get this information to you," he told Nakasone during their keynote question-and-answer session.

The attackers purposely used US-based IP addresses, which put them out of the watchful eye of the intel agency, Mandia explained. "There are times the private sector is gonna see something and the government is not," he said.

Sharing attack and threat intelligence with the US government long has been an awkward interaction for the private sector; many organizations remain wary because often they get no benefit, nor additional intel, for doing so. "There's not a carrot for the company that goes public" with its attack, Mandia said. "There may even be times when it's hard for us to share," adding that his organization would refrain from naming any victim of an attack with the feds. "That's not mine to share," he said of those details.

Lessons From SolarWinds
Mandia admitted it was painful but enlightening finding himself in the victim organization role. Even so, running a company that specializes in incident response — and had the resources to concentrate on the attack IR — gave the company a highly rare edge most victim organizations obviously don't have.

"I got to learn firsthand what it's like," he said. "But it's got to be totally frustrating" to other victim organizations that don't have hundreds of specialists dedicated to investigating their breaches. It still wasn't easy for FireEye/Mandiant to get to the bottom of what the attackers stole, given their discipline and skills, he said. "What I can't stand is that if they target you, they're gonna win. They will keep going at you until the day they succeed."

Recommended Reading: