Jeff Seldin Profile picture
23 Feb, 35 tweets, 16 min read
Happening now: Senate Intelligence Committee hearing on #SolarWinds hack

"Preliminary indications suggest that the scope & scale of this incident are beyond any that we’ve confronted as a nation, & its implications are significant" warns committee chairman @MarkWarner
"The reality is the hackers responsible have gained access to thousands of companies, and the ability to carry out far more destructive operation if they wanted to" per @MarkWarner

#SolarWinds hack
"While many aspects of this compromise are unique, the #SolarWinds Hack also highlights a number of lingering issues that we have ignored for too long" per @MarkWarner
"The bottom line question is how did we miss this, and what are we still missing?" per Senate Intelligence Committee Vice Chair @marcorubio re #SolarWinds hack
Another critical question per @marcorubio: "What do we know that we do not know?"
.@marcorubio echoes @MarkWarner that some sort of required reporting may be needed to avoid another #SolarWinds hack
"Whoever this threat actor is, & we all pretty much know who it is, this has been a multi-decade campaign for them..." @FireEye CEO Kevin Mandia tells Senate Intelligence Committee members

"This is a very sophisticated attacker"
"We unearthed every clue we could possibly find & we still didn't know, how did the attacker break in" per @FireEye's Mandia, saying they had to find "a proverbial needle in a haystack"

"This is the last place you'd look for an intrusion"
"These attackers from day one, they had a back door" to grab the keys to the house, per @FireEye's Mandia

"The only indicator of compromise was just somebody logging in as one of your employees..."
Attackers first got credentials and then went to "access emails, access documents"

And then they went after source code, per @FireEye's Mandia
#SolarWinds hacker "was more concerned about operational security than mission accomplished" per @FireEye's Mandia "The minute you could detect these folks & stop them breaking thru the door they sort of evaporated like ghosts"
"We believe the Orion platform was specifically targeted in this nation-state operation to create a backdoor into the IT environment of select clients" per @solarwinds President & CEO Sudhakar Ramakrishna
Malicious code was deployed during a 3-month period, per @solarwinds' Ramakrishna
"We're dealing w/a vert sophisticated adversary" per @Microsoft President @BradSmi

"We've seen substantial evidence that points to the #Russia|n foreign intelligence agency & we have found no evidence that leads us anywhere else"
Adversary is not new but the scale of the hack/penetration is, per @Microsoft's @BradSmi

"At least 1,000 very skilled, capable engineers" worked to make #SolarWinds hack happen, he says
"This was an act of recklessness in my opinion" per @Microsoft's @BradSmi
"The world relies on the patching & updating of software. We rely on it for everything... To disrupt, to damage, to tamper w/that kind of software updating process is in my opinion to tamper w/the digital equivalent of our public health service" per @Microsoft's @BradSmi
.@Microsoft's @BradSmi says there needs to be "some kind of notification obligation" - appearing to back call for national reporting requirement

"I think it's the only way we're going to protect he country"
"Right now, the attacker is the only one who know everything they did" per @Microsoft's @BradSmi

"We have pieces... " he says
"This is a planned attack. This is not something done in somebody's basement" per @FireEye's Mandia

re #SolarWinds
The malware "looked for nearly 50 different [security] products & shut them down when it ran" per @FireEye's Mandia

"This was planned. It was an operation. There were a lot of ppl involved & the question really is, where's the next one?"
"The tradecraft & operational security was superb" per @CrowdStrike CEO @George_Kurtz

"It is absolutely a sophisticated nation-state actor... this took a lot of work"
#SolarWinds hack - "It is most consistent w/behaviors we've seen out of #Russia" per @FireEye's Mandia
"The sooner we make a more fulsome attribution, the better" per @MarkWarner re US officials says it was likely #Russia

"We need to call out our adversary...plan an appropriate response"
"We should notify someone. We should notify I think a part of the US gvt that would be responsible for aggregating threat intelligence & making sure it is put to good use" per @Microsoft's @BradSmi
"Notification needs to be confidential" adds @FireEye's Mandia "Get the intel out there quickly..."
Firewalls "are a speed bump on the information superhighway for the bad guys" per @CrowdStrike CEO @George_Kurtz
Threat actor behind #SolarWinds, "They've already moved on to whatever's next. We've got to go find it" per @FireEye's Mandia "They're going to be an ever-present offense we have to play defense against"

"How they break in will always evolve"
"We've got to communicate, where's a red line?" per @FireEyes' Mandia "We've got to come up with what's tolerable, not tolerable. Communicate it so we don't see a gradual escalation"
"But to impose risk & repercussions is the purview of the gvt" per @FireEye's Mandia

"The gvt's in the best place to get attribution the most right"
"We're all playing goalie & we're taking slapshots from Wayne Gretzky" per @FireEye's Mandia "The puck's going to get in the net sooner or later & that's what's happening in cyberspace"

"There is no risk or repercussion to the folks doing it. We're all fighting a loosing battle"
.@solarwinds CEO says no evidence of hacker still in the company's systems or products
"We weren't a full-time job for the attackers who broke into us" notes @FireEye's Mandia
"I think deterrence is one of the most important parts of a national strategy & frankly it isn't one that has been very well developed in this country" per @SenAngusKing

Also says US must do better working w/allies on hacks like #SolarWinds
How did the attackers get in?

"We have had a number of hypotheses" per @solarwinds CEO Sudhakar Ramakrishna, who tells lawmakers the company has narrowed it down to 3 probable entry points, but does not elaborate further

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with Jeff Seldin

Jeff Seldin Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @jseldin

23 Feb
No update from @DeptofDefense on investigation into rockets attacks vs #Baghdad, #Irbil

"Right now we're not ale to give you certain attribution as to who was behind these attacks, what group" per @PentagonPresSec
"We have seen in these attacks, historically, by Shia-backed militias that they do use #Iran|ian rockets, Iranian weapons" adds @PentagonPresSec
"Nobody's backing away from the significant security challenges that #Iran still posses...We've not been bashful about that at all" per @PentagonPresSec "Nobody also is in a rush to judgment here on these particular attacks"
Read 9 tweets
22 Feb
NEW: No attribution yet for rockets attack Monday in #Baghdad or last week in #Irbil

"But clearly, look, these are dangerous attacks" per @PentagonPresSec

"We're there to counter #ISIS... our commanders have the right of self defense"
#Pentagon-domestic violent extremism

@SecDef Lloyd Austin "would like to know with ore granularity how big the problem is...a better sense of the numbers" per @PentagonPresSec
Some commands have already conducted the mandatory one-day stand down to examine domestic extremism, per @PentagonPresSec

Also, @SecDef has issued a video to the troops, he says:…
Read 12 tweets
22 Feb
NEW: @solarwinds CEO Sudhakar Ramakrishna tells @CSIS there is "organizational commitment" to talk about the #SolarWinds hack

"It is our obligation to do so" he says in virtual discussion

Ramakrishna will be testifying before Congress Tuesday
"We can emerge as a stronger company... a stronger software community" per @solarwinds' Ramakrishna
1st priority for @solarwinds after hack was discovered was working w/clients & remediation

Also rapid focus on learning from incident, per CEO Ramakrishna
Read 4 tweets
14 Jan
NEW: @StateDept's top counterterrorism official says the Jan 6 siege of the #USCapitol "wasn't just an assault on the Capitol. It was an assault on democracy, w/a violent mob trying to interfere with the results of the election"
"Nothing is more sacred to our constitutional democracy than the peaceful transfer of power" per Amb. Nathan Sales speaking to @AEI

Adds that those who rioted "desecrated the Capitol & the principals for which its stands"
"There's no room for complacency" @StateDept's Sales warns on the fight vs terrorism, repeating warnings that there needs to be a focus on #ISIS, #alQaida in #Africa
Read 11 tweets
13 Jan
NEW: @SecPompeo says there's an "#Iran-#alQaida axis" w/Iran serving as AQ core's new "home base"

But former US Special Envoy to the Coalition to Defeat #ISIS, Amb James Jeffrey tells @TheWilsonCenter the relationship is "transactional...not a joint campaign"
#Iran - #alQaida "These ties are transactional in nature" per Amb Jeffrey "They are not a joint campaign against the #UnitedStates"

Jeffrey further says there have long been 3 levels of cooperation:
- refuge
- passage
- "very, very limited" operational cooperation
Why the emphasis on #Iran-#alQaida?

"It's an attempt to stack the deck, to make it harder for the next administration to reverse your policies" per Amb Jeffrey
Read 5 tweets
13 Jan
Months ago, the top @StateDept Counterterrorism official said #alQaida was "on the ropes, no doubt"

Now, @SecPompeo says #AQ poses "a grave threat" from its new "home base" in #Iran

A look at the long, complicated AQ-Iran relationship & what it means...…
NEW: US slapping #Iran, foundations controlled by Supreme Leader Ali Khamenei w/new sanctions

Sanctions target Execution of Imam Khomeini’s Order (EIKO, Astan Quds Razavi (AQR) which allow regime "to exploit a system of ownership over a wide range of sectors of Iran’s economy"
"While purportedly charitable organizations (bonyads), EIKO and AQR control large swaths of the #Iran|ian economy, including assets expropriated from political dissidents & religious minorities" per @USTreasury
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!