The recently disclosed cyber intrusion of government and private sector networks by a state-backed hacking group was motivated by espionage and the types of stolen information indicates it was to benefit “multiple government priorities,” an official with the cyber security firm FireEye [FEYE] said on Tuesday.
FireEye, which in December first reported the breach of its own networks and others, has seen UNC2452 target internal documents, intellectual property and emails, but they aren’t “grabbing all information” on the networks it has infiltrated, Benjamin Read, director of Threat Intelligent Analysis for the company’s Mandiant division, said during a webinar the company hosted.
The information stolen so far has “low monetary value” and FireEye isn’t seeing signs of “destructive or disruptive goals” from the group or the theft of personally identifiable information or financial data, he said.
Read didn’t elaborate on the specific types of information that was stolen, although he did mention research and development.
The primary targets of the hack are in North America with a “heavy focus on government,” also non-government organizations, “some higher education” entities, and technology companies, he said. There has been “A little bit of activity in Europe,” he also said.
“Targets that are value for geopolitical reasons,” Read said, noting it the information can be used to help with “decision-making.” He added that “How the U.S. government works is of interest to lots of governments.”
William Evanina, director of counter intelligence for the U.S. intelligence community, also on Tuesday said that espionage was the primary goal of the cyber intrusion.
“I won’t get in front of the government’s assessment of this right now but from my perspective in counter-intelligence space I see this as an intelligence gathering operation,” Evanina said during a live event hosted by the Washington Post.
FireEye also isn’t ready to attribute the origin of UNC2452, which the U.S. government security agencies believe is tied to Russia, Read said.
The advanced persistent threat actor is “highly skilled, likely state-backed” but FireEye doesn’t have “sufficient evidence to support naming the specific sponsor,” Read said. The U.S. government’s attribution is “certainly plausible from what we’ve seen,” he said, pointing to the “sophistication” and “stealth” used by the hacking group being used by Russian groups in the past.
“And we don’t have anything pointing to a different country besides Russia,” Read said. “Based on the evidence we have, we don’t have evidence to say, ‘Yes, this is Russia.’”
Evanina said he believes Russia is behind the hacking, noting that official attribution “is a policy matter.”
The FBI, Department of Homeland Security, Office of the Director of National Intelligence and National Security Agency last week said fewer than 10 U.S. government agencies have been compromised by the cyber hack, but Evanina said he expects this number to grow.
The hackers used software products created by the network management company SolarWinds [SWI] to gain entry through patches, or upgrades, to their products that are already installed on computer systems operated by thousands of customers. The breach was conducted using threat malware that hadn’t been used before.
Asked by Washington Post reporter Ellen Nakashima if the latest breach was a wake-up call for the government and private sector and what needs to be done to protect the security of the information and communications technology supply chain, Evanina replied, “we’ve had too many wake-up calls.”
Supply chain protection is the “second pillar” of the nation’s counter-intelligence strategy and what is needed is the “right mechanism” for public and private partnerships that is better than the current arrangement, Evanina said.
The government needs to be able to “utilize private sector talent, capability and know-how to protect our nation and our entire society,” Evanina said. This means providing authorities “to allow the private sector to partner more effectively,” he said.
The key government agencies—the FBI, Department of Homeland Security and National Security Agency—involved in helping protect the U.S. from cyber threats internally and externally have to work better together as well, Evanina said.
“I think we have to get to a sound solution how we make that all one in the future,” he said.
Evanina also said that a supply chain risk mitigation program needs to be built around zero-trust in the products and services any organization uses, as well as basic hygiene such as paying attention to spearphishing attempts and installing patches routinely.