FireEye hedges on naming Russians as SolarWinds attackers
- By Justin Katz
- Jan 15, 2021
FireEye has not seen enough evidence to positively trace the hackers behind the ongoing SolarWinds Orion hack to Russian entities, a company executive said.
"We don't have sufficient evidence to support naming a specific sponsor," said Benjamin Reed, the cybersecurity company's director of threat intelligence.
Reed acknowledged that the federal government recently said the hackers are "likely Russian in origin," but FireEye has been calling the threat group UNC2452, with the UNC referring to “uncategorized.”
That notion that the attackers are likely Russian is "plausible from what we've seen," Reed said during a webinar this week. He added that Russian groups have been observed using the sophisticated methods being discovered by public and private investigators probing how UNC2452 managed to both breach and remain undetected on countless networks for months.
FireEye is credited as the first to detect an intrusion in SolarWinds Orion, an IT management software. Although FireEye is not attributing the attack to Russia yet, Reed said the company has also not seen any evidence pointing to another country.
Gregory Touhill, the federal government's first chief information security officer and a retired Air Force brigadier general, said FireEye's reluctance to attribute the attack to Russia is likely a matter of due diligence.
"When it comes to attribution, what the intelligence and law enforcement community has to do is … literally trace it all the way back to the root," he said. FireEye has to gather evidence that "will hold up in court. That's the realm that [FireEye] and others are dealing with. Those who don't have to prove it in court can say whatever they want."
This article was first posted to FCW, a sibling site to GCN.
Justin Katz is a former staff writer at FCW.