WASHINGTON — Critical information from a cybersecurity company allowed the Department of Defense to move fast to mitigate potential damage to its networks from an intrusion perpetrated by the Russian government last year, according to a top official.
The so-called SolarWinds incident involved Russian intelligence personnel planting malicious code in software updates provided by government supplier SolarWinds, allowing unprecedented access for months across federal networks.
Gen. Paul Nakasone, commander of U.S. Cyber Command and director of the National Security Agency, said Tuesday threat intelligence firm FireEye was key to exposing the threat, in a story not previously told.
A few days before Thanksgiving last year, Kevin Mandia, the chief executive of FireEye, went to the NSA with strong indicators a hostile foreign adversary was in FireEye’s corporate system, Nakasone said during a speech at the Mandiant Cyber Defense Summit.
NSA’s signals intelligence personnel corroborated that threat and worked to better understand it. A a so-called hunt team from Cyber Command deployed to survey potential network intrusion and uncovered the same actor. The team was able to block the adversary from harming networks and exploiting targets.
“Partnerships across the U.S government and industry allowed us to uncover the scope and scale of a foreign intelligence operation that leveraged private infrastructure and caused immense private sector harm,” Nakasone said. “Partnerships across the industry allowed for shared solutions. How do we rapidly mitigate this operation and prevent similar future attempts?”
The SolarWinds intrusion was “a significant incident for both the U.S. private sector and the U.S. government” and a turning point for the nation, Nakasone. However, he echoed DoD assurances that Pentagon networks were not compromised.
“Instead of decades long access to the U.S. government, the power of partnerships was able to expose our adversaries before they burrowed into our networks, our data or our weapon systems,” Nakasone said.
Nakasone also addressed the threat of ransomware, noting it’s a continuing threat.
He said Cyber Command is “surging” to respond to the preponderance of events. Some of the recent targets, which include critical infrastructure, create a national security threat.
“When ransomware starts impacting our critical infrastructure, it’s significant,” he said.
This reflects a shift in recent years. Previously, ransomware was considered a criminal act under the purview of the FBI, not Cyber Command or DoD, which typically focuses on activities and enemies outside U.S. borders.
“If [ransomware] isn’t important to U.S. Cyber Command and the National Security Agency, who are built for the express purpose of defending the nation, there’s something wrong there,” he said. “We have a surge going on right now both across the agency and the command in terms of understanding the threats that ransom provide.
“Understanding the tactics, understanding how we get after the adversary, how do we partner better. That’s what we do really effectively. We can put our best people on it and come up with new and innovative solutions,” Nakasone continued.
The Pentagon is also devoting attention to the ransomware challenge.
“The criminal, especially the ransomware actors, have risen in priority for the Department of Defense in a way that we actually spend a fair amount of resources focusing on this threat,” Mieke Eoyang, deputy assistant secretary of defense for cyber policy, said during an event hosted by the Aspen Institute Sept. 29.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.