{ "id": "1ab0f579-3850-414a-b5b7-e085fe58decf", "created_at": "2026-04-06T00:12:24.0418Z", "updated_at": "2026-04-10T13:11:50.078735Z", "deleted_at": null, "sha1_hash": "55cc8d06b33cd93576fd4f8016527403840605b2", "title": "Playing nice? FireEye CEO says U.S. malware is more restrained than adversaries’", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 47561, "plain_text": "Playing nice? FireEye CEO says U.S. malware is more restrained\r\nthan adversaries’\r\nBy Zaid Shoorbajee\r\nPublished: 2018-06-01 · Archived: 2026-04-05 17:27:30 UTC\r\nMalware used by the United States in offensive cyber-operations plays “nice” when compared to other nation-state\r\nmalware, according to FireEye CEO Kevin Mandia.\r\nSpeaking at the Cyber Threat Intelligence Forum produced by Scoop News Group on Thursday, Mandia said when\r\nFireEye analyzes malware from state-backed hackers, the company usually finds elements of public policy baked\r\ninto operations. Certain tells in the malware’s behavior or the code itself can be indicative of which state is behind\r\nit.\r\n“We find malware that sometimes has a time to live and then it doesn’t run anymore. I wonder who would do\r\nthat,” Mandia said on stage. “Probably [the U.S.] because we’re the nicest hackers in cyberspace, besides maybe\r\nChina.”\r\nThe U.S. and China are more disciplined in their operations than adversaries like North Korea and Russia, who are\r\ninstead unrestrained, he said.\r\n“We see guardrails on malware from nations like the United States, but do we see guardrails on malware from\r\nRussia? No.”\r\nOther experts, including former U.S. officials, contend that the U.S. can be similarly unrestrained and careless in\r\ncyberspace. They point to one specific case that’s widely attributed to the U.S. known as “Stuxnet,” which\r\noriginally targeted but quickly spread beyond an Iranian nuclear enrichment facility.\r\nMandia went on to describe an unspecified North Korean cyber-operation that when it detected someone was\r\ninvestigating, the malware rewrote the victim’s hard drive. Such properties are indicative of North Korea’s attitude\r\ntoward systems they compromise, Mandia said.\r\n“That’s annoying to deal with, but that’s a policy decision. They don’t care what they destroy when they\r\ncompromise something,” he said. “And I have a funny suspicion with our lawyers looking over their shoulders\r\nwith all of our offensive capability, we absolutely do care and we’re not going to have collateral damage in\r\ncyberspace.”\r\nMandia told CyberScoop in an interview after his keynote that the U.S.’s behavior could change soon.\r\nCyberScoop recently reported that officials inside the National Security Council are pressing for more offensive\r\nmeasures on the heels of U.S. Cyber Command’s recent elevation to a fully independent combatant command.\r\n“My gut, just pure gut, not fact based — [U.S. Cyber Command] will probably break the niceties,” Mandia told\r\nCyberScoop. “In cyberspace, everyone else is breaking [laws]. Nobody wants to over escalate, however the next\r\nhttps://www.cyberscoop.com/kevin-mandia-fireeye-u-s-malware-nice/\r\nPage 1 of 2\n\nwar will be fought with a cyber component. We’ll have to be ready for that.”\r\nThe public remarks cracked a window into how U.S. cybersecurity companies deal with malware that appears to\r\noriginate from the U.S. or allied governments.\r\nMandia, for example, told CyberScoop that before publishing a public threat intelligence report, FireEye will\r\ntypically tip off intelligence officials from the Five Eyes alliance about the release. If FireEye detects malware on\r\na customer’s system that researchers think is from the U.S. or an allied country, it will remove it. But Mandia said\r\nsuch malware ought to be stealthier.\r\n“If friendlies get caught by our detection, then in my opinion is they just need to get better,” Mandia said. “We’re\r\ngoing to protect our clients first and foremost.”\r\nIn March, Russian cybersecurity company Kaspersky Lab released information on a operation referred to as\r\n“Slingshot,” which covered malware that was spying on victims located in the Middle East. As CyberScoop\r\npreviously reported, Slingshot was a U.S. counterterrorism operation aimed at capturing terrorism targets.\r\nKaspersky’s report subsequently burned the operation.\r\nIn a press briefing, FireEye executives said that the company treats all cyberthreats the same, but uses discretion\r\nwhen it comes to public disclosure.\r\n“We respond to breaches all over the world. There are certain times when we think it’s potentially a friendly that\r\nwas behind it,” said Charles Carmakal, a vice president with Mandiant, FireEye’s incident response subsidiary.\r\n“From our investigative perspective we treat it as if it was a threat actor. We help our clients eradicate the threat\r\nactor from their environment.”\r\nBut even with removing a threat from a customer’s system, officials said the company would stop short of going\r\npublic. Ron Bushar, a vice president at FireEye, compared the action to publicly disclosing a zero-day\r\nvulnerability without giving the affected organization a chance to fix the issue.\r\n“I think there’s a difference between public disclosure and investigative support, and I think there’s important\r\nstandards or best practices that we tend to follow,” Bushar said. “And certainly before you go public with anything\r\n… there has to be a consideration of what the impacts are both from a government perspective and what those\r\nimpact could be to your client and to the organization conducting those operations.”\r\nAnother FireEye executive, John Hultquist, director of threat analysis, said that publicly outing a U.S. cyber-espionage operation, especially a counterterrorism effort, would cross a line that goes beyond quietly dealing with\r\nthe issue for a client.\r\n“I see counter terrorism stuff all the time,” said Hultquist. “There’s a difference, you know, between stopping it\r\nand publishing it for everyone to see.”\r\nGreg Otto and Chris Bing contributed to this report. \r\nSource: https://www.cyberscoop.com/kevin-mandia-fireeye-u-s-malware-nice/\r\nhttps://www.cyberscoop.com/kevin-mandia-fireeye-u-s-malware-nice/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://www.cyberscoop.com/kevin-mandia-fireeye-u-s-malware-nice/" ], "report_names": [ "kevin-mandia-fireeye-u-s-malware-nice" ], "threat_actors": [ { "id": "72aaa00d-4dcb-4f50-934c-326c84ca46e3", "created_at": "2023-01-06T13:46:38.995743Z", "updated_at": "2026-04-10T02:00:03.175285Z", "deleted_at": null, "main_name": "Slingshot", "aliases": [], "source_name": "MISPGALAXY:Slingshot", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f55c7778-a41c-4fc6-a2e7-fa970c5295f2", "created_at": "2022-10-25T16:07:24.198891Z", "updated_at": "2026-04-10T02:00:04.897342Z", "deleted_at": null, "main_name": "Slingshot", "aliases": [], "source_name": "ETDA:Slingshot", "tools": [ "Cahnadr", "GollumApp", "NDriver" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434344, "ts_updated_at": 1775826710, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/55cc8d06b33cd93576fd4f8016527403840605b2.pdf", "text": "https://archive.orkl.eu/55cc8d06b33cd93576fd4f8016527403840605b2.txt", "img": "https://archive.orkl.eu/55cc8d06b33cd93576fd4f8016527403840605b2.jpg" } }