New: SolarWinds hackers did test-run of spy operation in Oct 2019, when malicious SolarWinds files were first downloaded by customers. That version didn't have backdoor in it, however. Indicates hackers were in SolarWinds network in 2019, if not earlier. https://news.yahoo.com/hackers-last-year-conducted-a-dry-run-of-solar-winds-breach-215232815.html
Investigators have so far found no evidence the attackers did anything to infected machines once the malicious Oct 2019 SolarWinds software was installed; suggests this was just a dry-run to test that their malicious files would deliver to customer machines and not be detected.
I also clarify in story how FireEye first discovered breach. It occurred when the hackers, who already had an employee's credentials, used those to register their own device to FireEye's multi-factor authentication system so they could receive the employee's unique access codes.
FireEye's security system sent alert to the employee and to company's security team saying a new device had just been registered to the company's MFA system as if it belonged to the employee. This prompted FireEye to investigate.
As FireEye was trying to determine how the hackers obtained the employee's credentials to register their device, this led them to uncover the SolarWinds breach into their network. The hackers may have obtained the employee's credentials once inside FireEye's network.
Just want to emphasize there's no evidence a FireEye employee was duped into revealing their credentials to the hackers, as has been previously reported. The hackers could have obtained credentials for this and other employees once they breached got into FireEye via SolarWinds.
“This tells us the actor had access to SolarWinds’ environment much earlier than this yr. We know at minimum they had access Oct. 10, 2019...that intrusion has to originate probably at least a couple of months before that — probably at least mid-2019 [if not earlier].”