FireEye not ready to ascribe SolarWinds hack to Russia

The cybersecurity firm credited with discovering the compromise of SolarWinds Orion isn't saying that Russia didn't do it, but that more evidence is needed to make a definitive attribution.


The cybersecurity firm FireEye said Tuesday that it has not seen enough evidence to positively identify the hackers behind the ongoing SolarWinds Orion hack to Russian entities.

"We are not attributing to a sponsor at this time," said Benjamin Reed, the company's director of threat intelligence. "We don't have sufficient evidence to support naming a specific sponsor."

Reed acknowledged that the federal government recently said the hackers, which FireEye is calling UNC2452, are "likely Russian in origin."

That notion is "plausible from what we've seen," Reed said during a webinar this week. He added that Russian groups have been observed using the sophisticated methods being discovered by public and private investigators probing how UNC2452 managed to both breach and remain undetected on countless networks for months.

FireEye is credited as the first to detect an intrusion in SolarWinds Orion, an IT management software. Although FireEye is not attributing the attack to Russia yet, Reed said the company has also not seen any evidence pointing to another country.

Gregory Touhill, the federal government's first chief information security officer and a retired Air Force brigadier general, said FireEye's reluctance to attribute the attack to Russia is likely a matter of due diligence.

"When it comes to attribution, what the intelligence and law enforcement community has to do is … literally trace it all the way back to the root," he said. FireEye has to gather evidence that "will hold up in court. That's the realm that [FireEye] and others are dealing with. Those who don't have to prove it in court can say whatever they want."

SolarWinds' new chief executive officer Sudhakar Ramakrishna, who succeeded Kevin Thompson at the start of the new year, said in his own blog post this week that the earliest indications that hackers breached their networks dates back to September 2019.

"To date, our investigations have not independently verified the identity of the perpetrators," he wrote.