WASHINGTON, DC – Russia's leak of emails it hacked from the Democratic National Committee and Clinton campaign chairman John Podesta during the US presidential campaign came as a shock to FireEye CEO Kevin Mandia.
It takes a lot to surprise the seasoned Mandia, whose incident response firm Mandiant was acquired by FireEye nearly three years ago and who has been investigating and studying Russian nation-state breaches since the 1990s. In an interview at FireEye's Cyber Defense Summit here today, Mandia said the recent Russian state-sponsored attacks and leaking of information were a gamechanger in cyber espionage tradecraft.
"The doxing shocked me. I'm fascinated by it," he said. It's part of a major shift in Russia's nation-state hacking machine, according to Mandia.
Of the around two dozen breaches FireEye currently is investigating, Russian state hackers are behind many of them; in the "double digits," Mandia said. Even more chilling than the relative volume of attacks, however, is how dramatically Russia has changed its cyber espionage modus operandi over the past two years.
Mandia said the big shift began in the fall of 2014. "Suddenly, they [Russian state actors] didn't go away when we responded" to their attacks, he said. Historically, the attackers would disappear as soon as they were found: "The Russian rules of engagement were when we started a new investigation, they evaporated [and] just went way."
The Russian cyber espionage groups also began hacking universities, but not necessarily for the usual government research secrets they traditionally had been hunting. "They were [now] stealing [from] professors who had published … anti-Russian, anti-Putin sentiments. We'd seen the Chinese do that, but had never seen Russia doing that," Mandia said.
"The scale and scope were starting to change. Then I thought maybe their anti-forensics had gotten sloppier because now we could observe that they were not going away," he said. Rather than their usual counter-forensics cleanup, the Russians now merely left behind their digital footprints from their cyber espionage campaigns.
"They used to have a working directory and would remove it when they were done. But they just stopped doing that," Mandia said. That's either because they're no longer as disciplined in their campaigns, he said, or "they've just chosen to be more noticeable."
There are no easy solutions for response to this new MO of Russia's hacking machine, either, he said. "They're damn good at hacking," Mandia said.
The Obama administration's Executive Order signed in 2015 gives the US the power to freeze assets of attackers who disrupt US critical infrastructure, or steal trade secrets from US businesses or profit from theft of personal information.
It's unclear for now whether President-Elect Donald Trump will preserve Obama's cybersecurity EOs and policies. Mandia said he doesn't expect them to be scrapped. "No one wants to be hacked. Whether you're a Democrat or a Republican, you don't want people stealing your email. I can't imagine this is an issue that’s divided" politically, he said.
Trump's cybersecurity platform published during the campaign calls for developing "offensive" capabilities in cybersecurity. "Develop the offensive cyber capabilities we need to deter attacks by both state and non-state actors and, if necessary, to respond appropriately," according to his statement.
Some security experts say it's unclear if that leaves the door open for private organizations to hack back. Mandia opposes businesses hacking back at their online adversaries: "It's very dangerous. You will not have the intended consequences if you have anyone in the private industry do anything on offense, unless they were deputized by the government," he said.
Mandia is a fan of the oft-criticized pact by President Obama and China president president Xi Jinping not to conduct cyberspying attacks for economic gain. The agreement specifically applies to the theft of trade secrets and stops short of banning traditional espionage via hacking. Cyberespionage has been a notoriously prolific US strategy for China, with the US among its top targets, although Chinese officials deny such hacking activity.
While some security experts say the US-China agreement has not slowed China's hacking for IP theft, Mandia said his firm saw a dramatic decrease in the wake of the pact. FireEye saw the number of such attacks drop from 80 to four within one month after the pact. "Whoever runs China's cyber espionage: they have disciplined troops. They stick to the rules of engagement," Mandia said.
He said he can't see how the Trump administration would scrap the pact with China. "It has had impact in such an incisive way, I don't know why they would change it."
The New 'Wave'
Mandia said cyber espionage and cyberattacks have now entered a new, less predictable phase. "More emboldened nations are doing more emboldened things" hacking-wise, such as Iran, he said.
"Every day, Iran is hacking and there are no repercussions. They are getting operational experience and getting better at it," he said.
Grady Summers, CTO of FireEye, said his firm is seeing more coordination and destruction in all types of cyberattacks. They're seeing attackers use ransomware attacks moving from targeting a machine or two to thousands of machines. "They're establishing a foothold, going lateral and going destructive and encrypting en masse," Summers said. That allows attackers to encrypt thousands of machines, and do more damage and gain more leverage.