Charles Carmakal Hasn't Seen Any Evidence Sufficient To Name The Solarwinds Threat Actor...,

I know it doesn't matter. I know it's wrong to ask the question. I know asking the question raises grave doubts about one's loyalties and patriotism.

But has there been *any* evidence publicly presented, let alone dispositive proof, that Russia is responsible for this hack? https://t.co/nAugGeYDMh

— Glenn Greenwald (@ggreenwald) December 17, 2020

bloomberg |  The hackers who attacked FireEye stole sensitive tools that the company uses to find vulnerabilities in clients’ computer networks. While the hack on FireEye was embarrassing for a cybersecurity firm, Carmakal argued that it may prove to be a crucial mistake for the hackers.

“If this actor didn’t hit FireEye, there is a chance that this campaign could have gone on for much, much longer,” Carmakal said. “One silver lining is that we learned so much about how this threat actor works and shared it with our law enforcement, intelligence community and security partners.” Carmakal said there is no evidence FireEye’s stolen hacking tools were used against U.S. government agencies.

“There will unfortunately be more victims that have to come forward in the coming weeks and months,” he said. While some have attributed the attack to a state-sponsored Russian group known as APT 29, or Cozy Bear, FireEye had not yet seen sufficient evidence to name the actor, he said. A Kremlin official denied that Russia had any involvement.

FireEye’s investigation revealed that the hack on itself was part of a global campaign by a highly sophisticated attacker that also targeted “government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East,” the company said in a blog post Sunday night. “We anticipate there are additional victims in other countries and verticals.”

The Department of Commerce confirmed a breach in one of its bureaus, and Reuters reported that the Department of Homeland Security and the Treasury Department were also attacked as part of the suspected Russian hacking spree.

Carmakal said the hackers took advanced steps to conceal their actions. “Their level of operational security is truly exceptional,” he said, adding that the hackers would operate from servers based in the same city as an employee they were pretending to be in order to evade detection.

The hackers were able to breach U.S. government entities by first attacking the SolarWinds IT provider. By compromising the software used by government entities and corporations to monitor their network, hackers were able to gain a foothold into their network and dig deeper all while appearing as legitimate traffic.