Premiere security firm FireEye says it was breached by nation-state hackers

By | December 8, 2020
Stylized photo of desktop computer.

FireEye, a $3.5 billion company that helps customers respond to some of the world’s most sophisticated cyberattacks, has itself been hacked, most likely by a well-endowed nation-state that made off with “red-team” attack tools used to pierce network defenses.

The revelation, made in a press release posted after the close of stock markets on Tuesday, is a significant event. With a market capitalization of $3.5 billion and a some of the most seasoned employees in the security industry, the company’s defenses are formidable. Despite this, attackers were able to burrow into FireEye’s heavily fortified network using techniques no one in the company had ever seen before.

The hack also raises the specter that a group that was already capable of penetrating a company with FireEye’s security prowess and resources is now in possession of proprietary attack tools, a theft that could make the hackers an even greater threat to organizations all over the world. FireEye said the stolen tools didn’t included any zeroday exploits. FireEye shares fell about 7 percent in extended trading following the disclosure.

So far, the company has seen no evidence that the tools are actively being used in the wild and isn’t sure if the attackers plan to use them. Such tools are used by so-called red teams, which mimic malicious hackers in training exercises that simulate real-world hack attacks. FireEye has released a trove of signatures and other countermeasures that customers can use to detect and repel the attacks in the event that the tools are used. Some researchers who reviewed the countermeasures said they appeared to show that the tools weren’t particularly sensitive.

Tuesday’s release was written by FireEye CEO Kevin Mandia. He wrote:

Based on my 25 years in cyber security and responding to incidents, I’ve concluded we are witnessing an attack by a nation with top-tier offensive capabilities. This attack is different from the tens of thousands of incidents we have responded to throughout the years. The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past.

We are actively investigating in coordination with the Federal Bureau of Investigation and other key partners, including Microsoft. Their initial analysis supports our conclusion that this was the work of a highly sophisticated state-sponsored attacker utilizing novel techniques.

The attacker primarily sought information related to some of FireEye’s government customers, but it’s not clear yet if they succeeded. Mandia said FireEye has found no evidence that the hackers exfiltrated data from the company’s primary systems that store customer information from incident responses or consulting engagements. There’s also no evidence that the attackers obtained metadata collected by threat-intelligence products.

FireEye provided no details about the origin of the attackers beyond saying the evidence strongly suggested they were sponsored by a nation-state. The New York Times reported that the FBI has turned over the investigation to its Russian specialists, suggesting that the Kremlin is behind the hack.

The Washington Post went one step further, citing an unnamed source who said the hack appeared to be the work of the Russian SVR intelligence service. If true, that means the hackers belong to a group that goes under a variety of monikers, including APT 29, Cozy Bear, and the Dukes. The group, which was one of two Russian hacking outfits that breached the Democratic National Committee in 2016, is tied to the country’s according to security firm CrowsStrike.

The FBI rarely confirms investigations, even when they’re already reported by the victims. On Tuesday, however, Matt Gorham, the assistant director of the FBI’s cyber division issued a statement that read in part: “The FBI is investigating the incident and preliminary indications are show an actor with a high level of sophistication consistent with a nation state.”

Meanwhile, Sen. Mark R. Warner (D-VA), the vice chairman of the Senate Select Committee on Intelligence and Co-Chair of the Senate Cybersecurity Caucus, issued a statement that said: “The hack of a premier cybersecurity firm demonstrates that even the most sophisticated companies are vulnerable to cyber-attacks. I applaud FireEye for quickly going public with this news, and I hope the company’s decision to disclose this intrusion serves as an example to others facing similar intrusions.”

FireEye is hardly the only security firm that has suffered a damaging hack. In 2011, RSA said it was hit by a breach that allowed attackers to steal data that “could potentially be used to reduce the effectiveness of a current two-factor authentication implementation,” a statement that suggested the information related to the company’s SecurID product, used by 40 million people at the time, had been targeted.

In 2013 crooks broke into Bit9, stole one of its cryptographic certificates, and used it to infect three of its customers with malware.

And in 2015, Kaspersky Lab disclosed that malware derived from Stuxnet—the malware the US and Israel reportedly unleashed on Iran—had infected its network and remained undetected for months.