A multibillion-dollar cybersecurity firm specializing in exposing and fighting foreign cyberattacks said it was hacked by a sophisticated nation-state actor.
FireEye, a $3.5 billion Silicon Valley company famous for helping governments and its large corporate clients respond to cyberattacks, announced in a blog post on Tuesday the theft of secretive “Red Team” cybertools that mimic a cyber adversary’s online attacks and assist clients with defending against them.
Kevin Mandia, a former Air Force intelligence officer who leads FireEye, said, “Recently, we were attacked by a highly sophisticated threat actor, one whose discipline, operational security, and techniques lead us to believe it was a state-sponsored attack” and “based on my 25 years in cyber security and responding to incidents, I’ve concluded we are witnessing an attack by a nation with top-tier offensive capabilities.” He said, “The attackers tailored their world-class capabilities specifically to target and attack” the company.
“We are actively investigating in coordination with the Federal Bureau of Investigation and other key partners, including Microsoft. Their initial analysis supports our conclusion that this was the work of a highly sophisticated state-sponsored attacker utilizing novel techniques,” Mandia said. “During our investigation to date, we have found that the attacker targeted and accessed certain Red Team assessment tools that we use to test our customers’ security. These tools mimic the behavior of many cyber threat actors and enable FireEye to provide essential diagnostic security services to our customers.”
Mandia added: “We are not sure if the attacker intends to use our Red Team tools or to publicly disclose them. Nevertheless, out of an abundance of caution, we have developed more than 300 countermeasures for our customers, and the community at large, to use in order to minimize the potential impact of the theft of these tools.” He said that none of the stolen tools contain “zero-day exploits” — or software vulnerabilities unknown to a user or company which could be exploited by hackers. FireEye made public a host of technical information to help members of the cybersecurity community respond.
A Microsoft spokesperson told the Washington Examiner that “this incident demonstrates why the security industry must work together to defend against and respond to threats posed by well-funded adversaries using novel and sophisticated attack techniques.” The Washington Examiner was also told that Microsoft security consultants were assisting with the investigation and that the inquiry had already confirmed that the cyberactor was very disciplined and had used a rare combination of sophisticated attack techniques.
Matt Gorham, the assistant director of the FBI’s Cyber Division, said that the bureau “is investigating the incident and preliminary indications show an actor with a high level of sophistication consistent with a nation state” and stressed that “our adversaries are continuously looking for U.S. networks to exploit.”
A spokesperson for the Cybersecurity and Infrastructure Security Agency told the Washington Examiner that “along with our federal partners, we have been working closely with FireEye to understand the scope of this intrusion.” CISA warned that although it “has not received reporting of these tools being maliciously used to date, unauthorized third-party users could abuse these tools to take control of targeted systems.”
“We have seen no evidence to date that any attacker has used the stolen Red Team tools,” Mandia said, adding, “consistent with a nation-state cyber-espionage effort, the attacker primarily sought information related to certain government customers.”
FireEye has conducted a host of high-profile investigations. One 2018 company report called out North Korea as being responsible for the massive 2014 hack of Sony. The company has repeatedly pointed to Russian culpability for hacks against political groups, government agencies, and more. One of FireEye’s clients is Equifax, the victim of a massive hack in 2017 that breached sensitive personal data on an estimated 145 million people in the United States. In February, Attorney General William Barr announced the indictment of four members of the Chinese military for their alleged role in that cyberattack.
Sen. Mark Warner, the vice chairman of the Senate Intelligence Committee, released a statement saying that “the hack of a premier cybersecurity firm demonstrates that even the most sophisticated companies are vulnerable to cyber-attacks.” Patrick Wardle, a former NSA analyst and principal security researcher at Jamf software company, tweeted that “if you’re a hacker / APT group / 3-letter agency, it makes a ton of sense to steal/repurpose other people’s malware.” And Dmitri Alperovitch, the co-founder of CrowdStrike and later the Silverado Policy Accelerator, tweeted that FireEye’s “rapid and transparent disclosure of the intrusion … will go a long way to mitigating the potential impact of this intrusion.”
The hacking of FireEye is reminiscent of the breach of the National Security Agency in 2013 by the yet-mysterious, so-called “Shadow Brokers” who first went public in 2016 and 2017 with the release of secret NSA cybertools, exploited by countries such as Russia and North Korea to carry out hacking campaigns.
Although neither FireEye nor the U.S. government named a specific foreign country as being responsible, the New York Times reported that the “evidence points to Russia’s intelligence agencies” and said, “The FBI has turned the case over to its Russia specialists.” The Wall Street Journal reported that “a person familiar with the matter said Russia is currently seen by investigators as the most likely culprit but stressed that the investigation was continuing.”
