Kevin Mandia: 50 Firms ‘Genuinely Impacted’ By SolarWinds Attack

FireEye CEO Kevin Mandia acknowledges the SolarWinds hack ‘is an attack very consistent with’ what the Russian foreign intelligence service is known for, but didn’t want to officially blame the campaign on them.


Only 50 of the 18,000 organizations who installed malicious SolarWinds Orion code into their network were “genuinely impacted” by the campaign, said FireEye CEO Kevin Mandia.

“It’s important to note everybody says this is potentially the biggest intrusion in our history,” Mandia told Margaret Brennan Sunday on CBS’ Face the Nation. “[But] the reality is the blast radius for this, I kind of explain it with a funnel … It’s probably only about 50 organizations or companies, somewhere in that zone that’s genuinely impacted by the threat actor.”

Mandia’s remarks echo other experts – including leaders at his own company – who’ve noted the suspected Russian hackers exploited only a small fraction of the backdoors they were able to establish. FireEye’s Charles Carmakal first told The New York Times Dec. 14 that only dozens of organizations were actually compromised even though 18,000 were vulnerable to being attacked.

Sponsored post

[Related: Unclassified Treasury Systems Hit By SolarWinds Hack: Mnuchin]

Then on Thursday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said that not all organizations that have a backdoor delivered through SolarWinds Orion have been targeted by the hackers with follow-on actions. Similarly, Microsoft President Brad Smith said just over 40 of the company’s customers were precisely targeted and compromised through trojanized Orion updates.

“This was not a drive-by shooting on the information highway,” Mandia said on CBS Sunday. “This was a sniper round from somebody a mile away from your house. This was special operations. And it was going to take special operations to detect this breach.”

Mandia also told Face the Nation that there’s early evidence of this campaign being designed all the way back in October 2019 when innocuous code changes were made on the Orion network monitoring platform. But it wasn’t until March 2020 that the operators behind this attack injected malicious code into the supply chain via SolarWinds Orion, Mandia said.

“This is more like a case where somebody came in through a trapdoor in your basement that you never [knew about, put on an invisibility cloak and you just got the sense they’re in your networks, but you weren’t even sure how,” Mandia said. “You were like, ‘There’s something different right now. Something’s been moved.’”

The suspected Russian hackers first distributed malicious files to customers from the SolarWinds network on Oct. 10, 2019, but those files didn’t have a backdoor embedded in them, Yahoo News reported Friday. The October files were discovered in the systems of several victims, but investigators haven’t found any signs that the hackers engaged in any additional malicious activity on those systems.

The files distributed to victims in October 2019 were signed with a legitimate SolarWinds certificate to make them appear to be authentic code for the company’s Orion software, Yahoo News reported. The files that infected customers on Oct. 10 were compiled the same day customers got infected with them, infecting customers within hours — and in some cases minutes — after compilation, Yahoo News said.

“As a part of the ongoing investigation, we have determined that version 2019.4 with no hotfix of the Orion Platform released in October 2019 contained test modifications to the code base,” SolarWinds wrote on its ‘FAQ: Security Advisory’ page. “While this version is not impacted by the SUNBURST vulnerability, it is the first version in which we have seen activity from the attacker at this time.”

Mandia stopped short in attributing the campaign to Russia’s foreign intelligence service (SVR), also known as APT29 or Cozy Bear, which was first reported by The Washington Post on Dec. 13. Mandia told CBS that there’s “definitely a nation” behind the attack, and acknowledged that “this is an attack very consistent with” what the SVR is known for, but didn’t want to officially blame the attack on them.

“I’m very confident as we continue the investigation, as it gets broader, as more people learn about the tools, tactics and procedures of this attack, we’re going to bring it back and we’re going to get attribution,” Mandia said. “Not 92 percent right, not ‘consistent with,’ but 100 percent. Let’s just get it right so that we can proportionately respond, period.”