How Suspected Russian Hackers Outed Their Massive Cyberattack

Two congressional staffers briefed on the intrusion said FireEye representatives, who met with multiple lawmakers and their staffers this week to discuss the hack, disclosed a potentially embarrassing detail: that the hackers had exploited a security feature called two-factor authentication to gain access to FireEye’s network by duping an employee into revealing his or her credentials.

In a 2016 blog post, FireEye laid out how such an attack might be carried out, noting that while “two-factor authentication is a best practice for securing remote access, it is also a Holy Grail for a motivated red team” — a reference to security professionals hired to find clients’ weak points — who can “use the most straightforward method to acquire the credentials we need: ask the victim to enter them for us. The perfect trap happens to be the simplest to set.”

Asked for comment, however, FireEye officials denied the congressional staffers’ account, insisting that none of its employees were tricked and that the company caught the breach when the hackers tried to register a new device on FireEye’s system. A spokesperson also reiterated that the SolarWinds compromise was itself the source of the attack against FireEye.

“We initially detected the incident because we saw a suspicious authentication to our VPN solution,” said Charles Carmakal, senior vice president and chief technology officer at Mandiant, FireEye’s incident response arm. “The attacker was able to enroll a device into our multi-factor authentication solution, and that generates an alert which we then followed up on.”

A FireEye spokesperson later added: “There is a fundamental misunderstanding of how this attack unfolded. We determined the SolarWinds compromise was the original vector for the attack against FireEye. The cause of FireEye’s security incident was not a result of an employee being duped or tricked into typing credentials onto a login page; and at no time did we say anything of the sort to Congress or otherwise.”

The details surrounding the intrusion on FireEye were one revelation from Capitol Hill briefings on the company’s investigation into the massive hack, which officials have said may be the most consequential breach of U.S. government networks in five to six years.

Federal officials and FireEye have said the attackers carried out the stealthy breach of the U.S. government after embedding malicious code into the software updates that SolarWinds offers to its tens of thousands of clients. Nearly 18,000 organizations received the infected code, SolarWinds said this week in a Securities and Exchange Commission filing.

But the hackers essentially pushed their luck after gaining access to FireEye. They attempted to burrow deeper into the firm by registering one of their devices with the company’s network, which in theory would let them rummage around more without being detected, people familiar with the matter said.

After discovering the intrusion, FireEye announced earlier this month that sophisticated hackers with “world-class capabilities” had breached its systems and stole the tools it uses to simulate cyberattacks against its clients. That triggered a broader search for signs of tampering at other companies and government agencies, given how widely SolarWinds’ software is used.

It wasn’t immediately clear how much time passed between the FireEye intrusion and the discovery of the broader hacking scheme.

At least four agencies briefed the House and Senate intelligence committees on Wednesday about the government’s response, including the FBI, National Security Agency, the Office of the Director of National Intelligence and the Cybersecurity and Infrastructure Security Agency.

“The seriousness and duration of this attack demonstrate that we still have enormous and urgent work to do to defend our critical information and networks, that we must move quicker than our adversaries do to adapt,” House Intelligence Chair Adam Schiff (D-Calif.) said in a statement.

Administration officials separately briefed members of the Senate Armed Services Committee about the cyberattack on Tuesday and Wednesday as part of previously scheduled cyber-focused meetings with senators.

Sen. Jim Inhofe (R-Okla.), the panel’s chair, expressed alarm that the breach “affects both the government and the private sector,” while Sen. Richard Blumenthal (D-Conn.), a committee member, is pushing for officials to declassify information about the attack.

During Wednesday morning’s briefing, Blumenthal pressed officials to explain why the briefing was classified.

“The American people deserve to know. All of this stuff should be unclassified,” Blumenthal said in an interview, adding that members of his staff have been in touch directly with FireEye employees. “I’m going to make public whatever I can.”

Senate Intelligence Chair Marco Rubio (R-Fla.), who was briefed this week on the matter, declined to discuss details of the breach but said he might be able to elaborate “in the next couple days.”

“I just think there’s more information to be gathered here,” Rubio said. “We should know more soon. Everyone cares about it.”

Rubio’s counterpart on the committee, Vice Chair Mark Warner (D-Va.), said the government is “still assessing the extent of the penetration,” but lamented that “the current president of the United States has not said a word about this.”

Despite the series of briefings, there are signs that the White House was trying to muzzle top officials seeking to fill in lawmakers on what they know.

During a National Security Council meeting on Tuesday night, national security leaders were instructed not to reach out to Capitol Hill for briefings on the massive hack without explicit approval from the White House or ODNI, according to people familiar with the episode.

A spokesperson for the National Security Council did not respond to a request for comment.

The agencies are still scrambling to assess the full scope of the breaches, which “blindsided” them, according to one person familiar with the reactions. The National Security Council’s Cyber Response Group met on Monday to begin formulating a plan for assessing the damage. The hackers may have gained access to agency email accounts as far back as June, but as of now are not believed to have accessed classified information.

Eric Geller and Kyle Cheney contributed to this report.