How Suspected Russian Hackers Expressed Their Massive Cyber ​​Attack

Two congressional staffers who were aware of the break-in said FireEye representatives, who met with multiple lawmakers and their staffers this week to discuss the hack, revealed a potentially embarrassing detail: that the hackers had abused a security feature that required two-factor authentication. is called for accessing FireEye’s network by tricking an employee into typing his or her credentials on a fake login page.

In a 2016 blog post, FireEye explained how such an attack could be carried out and noted that while “two-factor authentication is a best practice for securing remote access, it’s also a holy grail for a motivated red team” – a reference to security professionals hired to find customers’ weaknesses – who “can use the simplest method of obtaining the credentials we need: ask the victim to enter them for us. The perfect trap is the easiest to set up. “

When asked for comment, FireEye officials denied the convention staff’s account, insisting that none of the employees were misled and that the company caught up with the breach when the hackers attempted to register a new device on the FireEye system. A spokesperson also reiterated that SolarWinds’ own compromise was the source of the attack on FireEye.

“We initially discovered the incident because we saw suspicious authentication for our VPN solution,” said Charles Carmakal, senior vice president and chief technology officer at Mandiant, FireEye’s incident response arm. “The attacker was able to enroll a device in our multi-factor authentication solution, and that generates a warning that we then acted on.”

The details surrounding the FireEye breach were a revelation from Capitol Hill’s briefings on the company’s investigation into the massive hack, which officials say is the most consistent breach of U.S. government networks in five to six years.

Federal officials and FireEye have said the attackers committed the covert breach of the US government after embedding malicious code in the software updates SolarWinds offers to its tens of thousands of customers. Nearly 18,000 organizations have received the infected code, SolarWinds said in a filing from the Securities and Exchange Commission this week.

But the hackers essentially pushed their luck after gaining access to FireEye. They tried to dig deeper into the business by registering one of their devices with the company’s network, which in theory would allow them to snoop around more without being noticed, people familiar with the case said.

After discovering the breach, FireEye announced earlier this month that sophisticated hackers with “world-class capabilities” had breached its systems and stolen the tools it uses to simulate cyber attacks against its customers. That led to a broader search for signs of tampering with other companies and government agencies, given the extent to which SolarWinds software is used.

It was not immediately clear how much time passed between the FireEye breach and the discovery of the wider hacking scheme.

At least four agencies on Wednesday briefed House and Senate intelligence committees of the government’s response, including the FBI, the National Security Agency, the Office of the Director of National Intelligence and the Cybersecurity and Infrastructure Security Agency.

“The severity and duration of this attack shows that we still have a tremendous and urgent work to do to protect our critical information and networks, that we must act faster than our opponents do to adapt,” said Adam Schiff, chairman of House Intelligence (D-Calif.) said in a statement.

Administration officials separately briefed members of the Senate Armed Forces Committee about the cyberattack on Tuesday and Wednesday as part of previously planned cyber-focused meetings with senators.

Sen. Jim Inhofe (R-Okla.), The chair of the panel, expressed concern that the infringement “affects both the government and the private sector,” while Senator Richard Blumenthal (D-Conn.), A committee member, urges officials to release information about the attack.

During Wednesday morning’s briefing, Blumenthal urged officials to explain why the briefing was secret.

The American people deserve to know. All of these things should not be classified, ”said Blumenthal in an interview, adding that members of his staff have been in direct contact with FireEye employees. “I’m going to make public what I can do.”

Senate President Marco Rubio (R-Fla.), Who was briefed on the matter this week, declined to discuss the details of the breach, but said he might be able to elaborate “in the coming days.”

“I just think more information needs to be gathered here,” Rubio said. ‘We should know more soon. Everyone cares. “

Rubio’s counterpart on the committee, Vice President Mark Warner (D-Va.), Said the government is “still assessing penetration levels,” but regretted that “the current president of the United States has not said a word about this.”

Despite the series of briefings, there are signs that the White House was trying to muzzle top officials who wanted to educate lawmakers about what they know.

At a meeting of the National Security Council on Tuesday night, national security leaders were instructed not to contact Capitol Hill for briefings on the massive hack without the explicit consent of the White House or ODNI, said people familiar with The episode.

A National Security Council spokesman did not respond to a request for comment.

According to one person familiar with the responses, the agencies are still struggling to assess the full extent of the breaches, which “blinded” them. The National Security Council’s Cyber ​​Response Group met on Monday to begin drafting a plan for assessing the damage. The hackers may have gained access to the agency’s email accounts as early as June, but it is believed they have not had access to classified information as of now.

Eric Geller and Kyle Cheney contributed to this report.