How FireEye attributed the SolarWinds hacking campaign to Russian spies

FireEye's CEO also said it's difficult to know whether a mysterious postcard was in fact sent by a Russian intelligence agency.
Kevin Mandia testifies at a Senate Intelligence Committee hearing on Capitol Hill on February 23, 2021 in Washington, DC. (Photo by Demetrius Freeman-Pool/Getty Images)

Careful data collection, specific keyword searches and the type of breach were factors that FireEye used to determine that Kremlin-sponsored hackers were behind one of the largest cyber-espionage operations in recent years.

The first revelations about what would come to be known as the SolarWinds campaign — in which spies exploited the federal contractor to breach nine U.S. government agencies and roughly 100 companies — occurred in early December 2020, when FireEye announced that hackers had stolen its security testing tools. The Milpitas-based company discovered that SolarWinds software was affected during the course of its own investigation, sparking examinations throughout U.S. national security circles that remain ongoing.

“We learned it’s fair game to hack the supply chain,” FireEye CEO Kevin Mandia said Tuesday during CyberTalks, a summit presented by CyberScoop.

While scrambling to understand the scope of the breach, FireEye investigators observed that hackers had searched for specific keywords, an indication that they had specific intelligence-gathering goals, Mandia said. The intruders also leveraged specific username and passwords for every account they breached, rather than using a single software backdoor akin to a master key that would unlock all of the necessary data.


“What they were doing was using the exact right credential for everything they went into,” Mandia said. “That’s discipline, that’s training, that’s methodical. And I don’t see any nation doing that other than Russia.”

Within a month of FireEye’s attribution, Mandia personally received a postcard that appeared to be linked to Russia, as Reuters first reported. The note, addressed to the CEO, reportedly questioned FireEye’s ability to accurately identify the perpetrator of the hack. Whether the effort was an intimidation tactic from a foreign intelligence agency remains unclear.

“That’s the challenge of cyberspace. It is so anonymous and they have such great plausible deniability that it makes it frustrating to understand that, if anything happens in the physical world, is it genuinely connected to the cyber world or not,” Mandia said Tuesday when questioned on the matter. “What I learned from the SolarWinds implant, and who they targeted, was that the software and security companies are absolutely fair game for espionage.”

The SolarWinds incident remains a topic of heavy focus in Washington. The White House is seeking $750 million in its latest budget request to recover from the incident, while Microsoft recently determined that the same Russian hacking group has since carried out a targeted phishing effort in which spies masquerade as members of the U.S. Agency for International Development.

FireEye has since announced it will sell its security products business for $1.2 billion to Symphony Technology Group, a private equity firm.

Jeff Stone

Written by Jeff Stone

Jeff Stone is the editor-in-chief of CyberScoop, with a special interest in cybercrime, disinformation and the U.S. justice system. He previously worked as an editor at the Wall Street Journal, and covered technology policy for sites including the Christian Science Monitor and the International Business Times.

Latest Podcasts