New: SolarWinds hackers did test-run of spy operation in Oct 2019, when malicious SolarWinds files were first downloaded by customers. That version didn’t have backdoor in it, however. Indicates hackers were in SolarWinds network in 2019, if not earlier.
Investigators have so far found no evidence the attackers did anything to infected machines once the malicious Oct 2019 SolarWinds software was installed; suggests this was just a dry-run to test that their malicious files would deliver to customer machines and not be detected.
I also clarify in story how FireEye first discovered breach. It occurred when the hackers, who already had an employee’s credentials, used those to register their own device to FireEye’s multi-factor authentication system so they could receive the employee’s unique access codes.
FireEye’s security system sent alert to the employee and to company’s security team saying a new device had just been registered to the company’s MFA system as if it belonged to the employee. This prompted FireEye to investigate.