The second wave, which began
“You never want to see a modern nation like
Mandia said his company assesses based on the forensics that two groups of Chinese state-backed hackers — in an explosion of automated seeding — installed backdoors known as “web shells” on an as-yet undetermined number of systems. Experts fear a large number could easily be exploited for second-stage infections of ransomware by criminals, who also use automation to identify and infect targets.
Across the globe, cybersecurity teams are scrambling to identify and shore up hacked systems. The
The
The assessment of Mandia, who has been dealing with Chinese state-backed hackers since 1995 and has long had the ear of presidents and prime ministers, squares with that of
The explosion of automated backdoor-creating hacks began five days before
Suddenly, all manner of organizations that run email servers were infected with web shells associated with known Chinese groups, who — knowing the patch was imminent — rushed to hit everything they could, said Mandia.
“They could sense it was going to end-of-life soon, so they just went wild. They machine gun-fired down the stretch,” he said in an interview in
It's possible the second infection wave was not approved at the highest levels of
“This doesn’t feel consistent with what they normally do,” he said. “A lot of times there’s a disconnect between senior leadership and front-line folks. All I can tell you is it was surprising to me to see four ‘zero days’ wantonly exploited," adding, "If you could be exploited by this act, for the most part, you were.”
“Zero days” are vulnerabilities that hackers discover and use to pry open secret doors in software. Their name derives from the countdown to patching that begins after they are deployed. In this case, it took
Mandia cautioned that the mass hack is not apt to trigger any critical infrastructure failures or cost lives. "It's not going to draw blood.” But it highlights how there are no rules of engagement in cyberspace, something governments urgently need to address “before something catastrophic happens.”
Asked for comment on Monday about allegations it was behind the hack, the
Mandia compared the Exchange hack with the
“The SolarWinds attack was very surreptitious, very stealthy, very focused. The operator showed restraint and they went deep not wide,” said Mandia, who appeared in multiple
Mandia said Russian intelligence operatives had manually penetrated the networks of between 60 and 100 different victims. Security researchers say telecommunications and software companies and think tanks were especially hard hit.
Bajak reported from
Copyright 2021 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed without permission., source