Hackers Taunt FireEye’s Kevin Mandia At Home With Postcard: Report

Hackers attempted to troll FireEye CEO Kevin Mandia with a postcard that called into question the company’s ability to attribute cyberattacks to the Russian government, Reuters reported.

The FBI is investigating a mysterious postcard sent to Mandia’s home days after FireEye found initial evidence of a suspected Russian hacking operation on U.S. government agencies and private businesses, according to Reuters. Federal officials said Jan. 5 that a Russian Advanced Persistent Threat (APT) group is likely behind colossal hacking campaign, but FireEye hasn’t publicly attributed the attack to Russia.

U.S. officials familiar with the postcard are investigating whether it was sent by people associated with a Russian intelligence service due its timing and content, according to Reuters. This suggests Russian intelligence officials had internal knowledge of the massive hack well before it was publicly disclosed in December, Reuters said. FireEye declined to comment to CRN on the Reuters report.

[Related: Kevin Mandia: 50 Firms ‘Genuinely Impacted’ By SolarWinds Attack]

The postcard did not on its own help FireEye find the breach, but rather arrived in the early stages of the threat intelligence vendor’s investigation, Reuters said. This led people familiar with the card to believe the sender was attempting to discourage further inquiry by intimidating a senior executive. Reuters said U.S. law enforcement and intelligence agencies are spearheading a probe into the postcard’s origin.

FireEye blew the lid off the hacking campaign Dec. 8 when the company disclosed that it was breached in an attack designed to gain information on some of the company’s government customers. Before entering the corporate world, Mandia spent six years in the U.S. Air Force, where he was a computer security officer at the Pentagon and a special agent in the Air Force Office of Special Investigations.

A person familiar with the postcard investigation told Reuters actions like these aren’t typically in the playbook of Russia’s foreign intelligence service, or APT29, but noted that “times are rapidly changing.” The U.S. Cyber Command sent private messages to Russian hackers ahead of the 2018 congressional elections along the lines of ‘watch your back, we see you,’ a former U.S. intelligence official told Reuters.

Rand Corp. disinformation researcher Todd Helmus received a postcard similar to Mandia’s in March 2019 after testifying at the U.S. Senate Select Committee on Intelligence the year prior. “It‘s so nice to receive an actual post-card these days,” Helmus said on Twitter Monday afternoon following publication of the Reuters story. “I’m actually heartened that the Russians would think of me.”

One side of the postcard Helmus received depicts a man reading a newspaper article about the income gap and saying “It’s the worst income inequality in 100 years.” In response, a large man in a suit with a pocket square and cigar who is labeled as “the 1%” points a finger in a different direction and says “Hey look! Russians!”

The other side of the postcard depicts a parrot in a cage telling a forlorn man holding a newspaper, a boy, a dog and a cat “Putin did it!” People familiar with Mandia’s postcard told Reuters it had the same caption as Helmus’ but carried FireEye’s logo and was addressed to CEO Kevin Mandia.

Mandia has been front and center since this story broke, authoring a Dec. 8 blog that disclosed FireEye had been hacked and a Dec. 13 blog tying the campaign to the insertion of malicious code in SolarWinds Orion. Since then, Mandia has appeared everywhere from CBS’ Face the Nation on Dec. 20 to NPR’s All Things Considered on Dec. 21 to a Jan. 7 Aspen Institute panel alongside U.S. Sen. Mark Warner, D-Va.