22 comments

[ 4.9 ms ] story [ 59.5 ms ] thread
They noticed the breach in the trial version and still bought the product. Makes me wonder what would have led to them not buying the product.
They likely had a compliance box to check and a limited number of approved vendors.

For the use case of enterprise network monitoring and alerting, with integration of netflow and DB or application-level stats, there are very few effective competitors. HP OpenView probably exists in some hopelessly outdated form under a new name, but every other NMS seems to involve baking a lot of custom scripts or else is cloud-centric.

They noticed funny traffic. And then did their due diligence by contacting both the vendor and a third party to investigate it. The investigation turned out fine.

What else would you do? "We found suspicious traffic but ultimately couldn't substantiate wrongdoing, should we torpedo the whole contract sir?"

"Let's try running the trial on a different network and see what happens."
If there's any justification for this kind of delay between detecting an intrusion and acting on it, it would have to be giving the government time to investigate, in order to correctly identify the source and means of intrusion, so the right parties were charged and innocents weren't dragged in.

Which, unfortunately, was not the case with Solarwinds. Almost immediately after the intrusion was publicly disclosed, there were a bunch of stories, in both industry outlets like The Register and mainstream ones as august as the New York Times, suggesting that software from JetBrains might have somehow been implicated in the hack -- citing no evidence other than that Solarwinds had bought JetBrains products, and that they were, y'know... one of them furrin companies (though Czech, not Russian -- one wonders whether the FBI knows the Czech Republic is an EU member these days).

  https://www.theregister.com/2021/01/07/jetbrains_solarwinds_accusation/
And yet, when a full technical writeup of the way the build servers got breached was available, it turned out that JetBrains software was not at fault; the hack to the build servers worked at a lower level, and switching to a different build orchestrator wouldn't have changed things at all:

  https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/
So, extra time to investigate didn't keep the investigators from leaking a report that was just false. JetBrains obviously wasn't well served by this -- but neither were the rest of us.
IIUC JetBrains products are developed in St. Petersburg, Russia.
They had an office there but IIRC it has been shuttered
Where was it at the time of the hack?
This is irrelevant to the discussion, anyway.
St Petersburg. Up until the latest Russian invasion of Ukraine in 2022 they were a de facto Russian company. After the invasion they offered all their employees relocation assistance and laid off those who declined to immigrate.
Why provide links and then make them unclickable?
(comment deleted)
Amazing the amount of government, industry, and academic coordination that was put in place to fight disinformation. Why can't that same effort be put into cyber and ransomeware security?
Because “fighting disinformation” is simply a cover for introducing political censorship into the modern populace. The same effort could be applied, but it wouldn’t benefit the powers that be nearly as much.
Words have meaning.

The fact that you fear that possibility is indicative.

That’s the natural conclusion to draw when factually accurate information is repeatedly censored in support of establishment narratives:

This isn’t about “misinformation” but suppressing voices which challenge the government narrative — especially when the “official” narrative is misinformation.

I think the key thing other commenters here are missing is how the compromise at the time did not appear to be anything unusual.

You will notice that network traffic got their attention, not endpoint telemetry. This means they had no idea what process did what. Implants like that do everything in memory, chances are they found some malicious code and weird network traffic but it was on a trial box and they didn't have enough information to figure out what was happening.

This is why in IR we say "the worst thing that can happen during an incident is to eradicate incorrectly" (paraphrasing).

Mandiant being who they are probably had their agents all over and could tell what was happening where (and as they claim, if they were a country, their intel capability would be 5th in the world), but not only that they had access to customer networks which allowed them to get an idea of the scale of the breach.

Lastly, even in infosec, people who don't respond to incidents don't get just how much luck is involved, for threat actors as well as incident responders.

As I recall, someone noticed weird MFA device registration on his account and reported it or something at Mandiant. Had that been ignored FSB would have been very happy for at least a few months more.