Read on Twitter
Here's a high-res image of SVR headquarters (former First Chief Directorate, KGB) that I purchased for my book, by Marina Lystseva
Also, a subtle point on terminology: exfiltrating data from regular foreign intelligence targets — however stealthy, targeted, or labor-intensive — should not be called an "attack." An intrusion becomes an attack when adversaries modify, delete, or leak targeted files.
Yes, that’s better https://twitter.com/ildannymoore/status/1338553048768110594
A little late to the story, but a few quick thoughts on the SolarWinds case.
SolarWinds 8-K, from today https://d18rn0p25nwr6d.cloudfront.net/CIK-0001739942/57108215-4458-4dd8-a5bf-55bd5e34d451.pdf
FireEye update, from yesterday https://www.fireeye.com/blog/products-and-services/2020/12/global-intrusion-campaign-leverages-software-supply-chain-compromise.html
SolarWinds 8-K, from today https://d18rn0p25nwr6d.cloudfront.net/CIK-0001739942/57108215-4458-4dd8-a5bf-55bd5e34d451.pdf
FireEye update, from yesterday https://www.fireeye.com/blog/products-and-services/2020/12/global-intrusion-campaign-leverages-software-supply-chain-compromise.html
The exploitation of the SolarWinds updates/installs has been going on since at least March, so about 9 months. It's not over. Shutting the backdoor is one thing. Getting an advanced, persistent, stealthy adversary out of your network is another thing.
SolarWinds appears to be an excellent entry point into a large number of high-value intelligence targets ("fewer than 18,000," according to SolarWinds). The adversary likely faced a permanent tension throughout the entire campaign: scale up or keep tight OPSEC?
That tension came to a head with the targeting of FireEye — which appears to have been the undoing of the entire campaign. A very imprudent, probably arrogant move. Somebody in Yasenevo likely got into deep trouble for going after Mandiant.
