Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

03:30 PM
Connect Directly

Mandia: Russian State Hackers Changed The Game

Founder of Mandiant and FireEye CEO says Russia doesn't appear to want to cover its tracks anymore.

WASHINGTON, DC – Russia's leak of emails it hacked from the Democratic National Committee and Clinton campaign chairman John Podesta during the US presidential campaign came as a shock to FireEye CEO Kevin Mandia.

It takes a lot to surprise the seasoned Mandia, whose incident response firm Mandiant was acquired by FireEye nearly three years ago and who has been investigating and studying Russian nation-state breaches since the 1990s. In an interview at FireEye's Cyber Defense Summit here today, Mandia said the recent Russian state-sponsored attacks and leaking of information were a gamechanger in cyber espionage tradecraft.

"The doxing shocked me. I'm fascinated by it," he said. It's part of a major shift in Russia's nation-state hacking machine, according to Mandia.

Of the around two dozen breaches FireEye currently is investigating, Russian state hackers are behind many of them; in the "double digits," Mandia said. Even more chilling than the relative volume of attacks, however, is how dramatically Russia has changed its cyber espionage modus operandi over the past two years.

Mandia said the big shift began in the fall of 2014. "Suddenly, they [Russian state actors] didn't go away when we responded" to their attacks, he said. Historically, the attackers would disappear as soon as they were found: "The Russian rules of engagement were when we started a new investigation, they evaporated [and] just went way."

The Russian cyber espionage groups also began hacking universities, but not necessarily for the usual government research secrets they traditionally had been hunting. "They were [now] stealing [from] professors who had published … anti-Russian, anti-Putin sentiments. We'd seen the Chinese do that, but had never seen Russia doing that," Mandia said.

"The scale and scope were starting to change. Then I thought maybe their anti-forensics had gotten sloppier because now we could observe that they were not going away," he said. Rather than their usual counter-forensics cleanup, the Russians now merely left behind their digital footprints from their cyber espionage campaigns.

"They used to have a working directory and would remove it when they were done. But they just stopped doing that," Mandia said. That's either because they're no longer as disciplined in their campaigns, he said, or "they've just chosen to be more noticeable."

There are no easy solutions for response to this new MO of Russia's hacking machine, either, he said. "They're damn good at hacking," Mandia said.

The Obama administration's Executive Order signed in 2015 gives the US the power to freeze assets of attackers who disrupt US critical infrastructure, or steal trade secrets from US businesses or profit from theft of personal information.

It's unclear for now whether President-Elect Donald Trump will preserve Obama's cybersecurity EOs and policies. Mandia said he doesn't expect them to be scrapped. "No one wants to be hacked. Whether you're a Democrat or a Republican, you don't want people stealing your email. I can't imagine this is an issue that’s divided" politically, he said.

Trump's cybersecurity platform published during the campaign calls for developing "offensive" capabilities in cybersecurity. "Develop the offensive cyber capabilities we need to deter attacks by both state and non-state actors and, if necessary, to respond appropriately," according to his statement.

Some security experts say it's unclear if that leaves the door open for private organizations to hack back. Mandia opposes businesses hacking back at their online adversaries: "It's very dangerous. You will not have the intended consequences if you have anyone in the private industry do anything on offense, unless they were deputized by the government," he said.

Mandia is a fan of the oft-criticized pact by President Obama and China president president Xi Jinping not to conduct cyberspying attacks for economic gain. The agreement specifically applies to the theft of trade secrets and stops short of banning traditional espionage via hacking. Cyberespionage has been a notoriously prolific US strategy for China, with the US among its top targets, although Chinese officials deny such hacking activity.

While some security experts say the US-China agreement has not slowed China's hacking for IP theft, Mandia said his firm saw a dramatic decrease in the wake of the pact. FireEye saw the number of such attacks drop from 80 to four within one month after the pact. "Whoever runs China's cyber espionage: they have disciplined troops. They stick to the rules of engagement," Mandia said.

He said he can't see how the Trump administration would scrap the pact with China. "It has had impact in such an incisive way, I don't know why they would change it."

The New 'Wave'

Mandia said cyber espionage and cyberattacks have now entered a new, less predictable phase. "More emboldened nations are doing more emboldened things" hacking-wise, such as Iran, he said.

"Every day, Iran is hacking and there are no repercussions. They are getting operational experience and getting better at it," he said.

Grady Summers, CTO of FireEye, said his firm is seeing more coordination and destruction in all types of cyberattacks. They're seeing attackers use ransomware attacks moving from targeting a machine or two to thousands of machines. "They're establishing a foothold, going lateral and going destructive and encrypting en masse," Summers said. That allows attackers to encrypt thousands of machines, and do more damage and gain more leverage. 

Related Content:

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
12/6/2016 | 12:17:40 AM
Re: .osiris ransomware
One of the password recovery phone numbers was Russian, but Krebs said MUNI system was accidentally hacked, just another victim of cyber crooks.
User Rank: Strategist
12/5/2016 | 2:31:21 PM
Re: It is going to get interesting
What about the latest San Francisco MUNI ransomware hack? Brian Krebs found that hacker has Iranian or Russian background.
User Rank: Strategist
12/5/2016 | 2:18:52 PM
Re: It is going to get interesting
Not really, all the latest ransomware examples are made in Russia, DynDNS DDoS attack on 10/21/16 has Russian origin. Hacking - is a part of their modern foreign policy, which includes hybrid war elements, to achieve their goals.
User Rank: Apprentice
12/4/2016 | 7:47:54 AM
Re: It is going to get interesting
Putin or Russia interfering in the US election is a myth created by the Clinton campaign.
David Balaban
David Balaban,
User Rank: Strategist
12/3/2016 | 9:48:03 AM
We are very slow fighting Chinese cyber intruders. With Putin, it is going to be the same. I do not hope that we will be able to change things soon.
User Rank: Ninja
12/2/2016 | 1:27:02 PM
Machismo is Back in Style
We've seen a few things the last few years that have set the tone for this type of brazen activity.  Certainly the hacker community in general has had a "brass set" attitude since the beginning, and while anonymity has been important, throwing your persona out there and making sure your hacks were attributed to you is nothing new.  But the days of such "machismo" (sorry to set up a gender-specific analogy here) between world leaders seemed like a thing of the past when it came to the global attitude toward Western leadership.  Seems like we're moving back to a certain mindset where countries like China, North Korea and Russia are happy to raise the middle finger to us and crack open our digital infrastructure.  Why not?  The Middle East (clarify: terrorist-organizations) has done this for years outside the digital realm, but even that is now fair game for radical terrorist groups.  The regular appearance of Anonymous (never forget, never forgive), Assange and other high-profile hackers also confuses some folks about whether hacking is now "OK".  While I can't say anything bad about Anonymous, Assange seems to be setting a tone of "cybercrime is the new investigative reporting" and to some extent that carefree attitude is catching on with world leaders who don't know the difference between back-slapping and outright... well, you get the point.  With the current chest-puffing administration here in the US, I can't see this stopping any time soon.  But is this a bad thing?  Not so sure it is.  There's nothing like knowing who your cyberattacker is when wanting to bring down an Enemy of the State.  Please, Russia, and any other country that wants to: brag, boast and puff.  Maybe this will inspire the harder-to-catch cybercriminals to do the same so we can finally nab them in the act, too.  
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
12/2/2016 | 10:58:00 AM
Re: Typo with the Name.
@Ashu001 Actually, the spelling is correct as-is. Kevin Mandia founded Mandiant. =)


Thank you for sharing your thoughts on nation-state cyber espionage. 
User Rank: Apprentice
12/2/2016 | 9:25:14 AM
Typo with the Name.


I don't mean to disparage your Amazing article but it sure bugs me a lot when I see your wonderful write-up get spoiled by the fact that the Company in Question is Named as "MANDIANT" and not "MANDIA".


I am amazed that nobody (in either the readership at Darkreading) or the Phenomenal Editors have spotted the error previously.


The Company does phenomenal research as ANyone who has used their REDLINE Tool regularly,will attest to.


ALso,I am not surprised that the Russian Hackers are no longer covering their tracks.


Just in the USA,the UK,Israel,China and of course Russia-State Sponsored Hacking Groups operate as a function of State Policy/Diktat.

The fact that the Russians are no longer covering their tracks simply implies that the Russian Government feels more confident in their place in the world.

Anyone who reads the Latest Geopolitical News will tell you how Russia is on the ascendency globally (Syria as well as with the Latest OPEC annoucement).

So,all this state sponsored Hacking is just a function of their Great Power Status.


User Rank: Strategist
12/2/2016 | 9:12:25 AM
It is going to get interesting
Given that Putin made no attempt to hide his desire to see Trump win and Trump made no attempt to hide his desire to have Putin interfere with the US election it wil be _interesting_ to see how a Trump administration will respond to Russian hacking.  It would be even more interesting to see how US intelegence agencies respond if it appears as if a President Trump wants to take a hand off approach on the subject. They took an oath to protect the Constitution and people of the United States, not the President.
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel function where a lack of checks allows the exploitation of an integer overflow on the size parameter of the tz_map_shared_mem function.
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel�s tz_handle_trusted_app_smc function where a lack of integer overflow checks on the req_off and param_ofs variables leads to memory corruption of critical kernel structures.
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel where an integer overflow in the tz_map_shared_mem function can bypass boundary checks, which might lead to denial of service.
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in TSEC TA which deserializes the incoming messages even though the TSEC TA does not expose any command. This vulnerability might allow an attacker to exploit the deserializer to impact code execution, causing information disclosure.
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in all TAs whose deserializer does not reject messages with multiple occurrences of the same parameter. The deserialization of untrusted data might allow an attacker to exploit the deserializer to impact code execution.