Security firm Mandiant says it has not mentioned any zero-day exploit usage by Western government agencies in a report about incidents in 2021 because it did not find any exploits which it could identify with reasonable confidence as coming from these sources.
The report, issued on 21 April, named actors from China, Russia and North Korea, either as part of state-sponsored groups or individuals who were affiliated to a state, as being among the highest number who were involved in these attacks.
It is common for security firms to name the countries which the US has on its enemies list — usually Russia, China, North Korea and Iran — as being the main source of attacks.
Mandiant has a reputation for attributing attacks, be they mounted through the use of zero-days or not. The company was recently acquired by Google, but the transaction has yet to be finalised due to some concerns expressed by the Security and Exchange Commission.
The company became a standalone entity in 2021 when its owner, FireEye, was sold to a private entity known as the Symphony Technology Group for US$1.2 billion. FireEye had picked up Mandiant in December 2013.
The separation came after FireEye experienced losses every year after it went public in 2013; it took place in June last year, according to The Wall Street Journal. The sale included its network, email and cloud security software.
Mandiant made headlines in 2013 when it publicly attributed a network attack to a Chinese group, which it named APT1. Prior to that, security firms had always shied away from such definite statements.
Two questions were put to Mandiant about the 2021 report:
“Going by the lack of reference to any malicious activity on the part of Western security agencies, is one to then believe that they do not participate in such activity?
“The NSA is known to have a budget much bigger than any comparable body in any country worldwide. Going by your report, that budget is never used for malicious activity. Is this the case?”
Kelli Vanderlee, senior manager, Threat Intelligence Analysis, did not answer the questions separately.
She said: “Our blog does not refer to Western government-attributed operations because, in 2021, we did not identify an incident of zero-day exploitation that we could attribute with reasonable confidence to Western operators.
“The US and other Western governments have voluntarily disclosed information about offensive cyber operations. Additional activities have been reported in open sources. However, these disclosures rarely identify sources and methods, including use of any particular exploit.”
Vanderlee did not specify either the operations about which information was voluntarily disclosed or the additional activities reported “in open sources”.
Given that Google also issued a report about zero-days in 2021 recently, Mandiant was also asked whether it had used the same figures that Google utilised in its review which was issued on 20 April.
To this, Vanderlee responded: “There is significant overlap between Google’s list of identified zero-days and ours. However, Mandiant ultimately identified 80 zero-days exploited in the wild, while Google reported 58.
“There are likely several factors that contribute to this discrepancy, including how Mandiant and Google define zero-days, and differences in the types of products each group is regularly covering and monitoring for updates. For example, I do not see the SonicWall or PulseSecure or Accellion vulnerabilities listed in Google’s spreadsheet.”