Cybersecurity firm FireEye, which has been prominent in the fight against nation-state cyberthreats, has been itself attacked by “a highly sophisticated threat actor, one whose discipline, operational security, and techniques,” company CEO Kevin Mandia announced Tuesday.
This indicates the attack is likely state-sponsored, by a nation “with top-tier offensive capabilities.”
FireEye is investigating the incident together with the United States Federal Bureau of Investigation and other key partners, including Microsoft.
The security vendor joined the Microsoft Intelligent Security Association (MISA) last year, an ecosystem of independent software vendors that have integrated their solutions for improved cybersecurity.
FBI Cyber Division assistant director Matt Gorham reportedly said that preliminary indications “show an actor with a high level of sophistication consistent with a nation-state.”
Microsoft confirmed that it’s assisting with the investigation and noted that the hackers used a rare combination of techniques to steal FireEye’s tools.
“This incident demonstrates why the security industry must work together to defend against and respond to threats posed by well-funded adversaries using novel and sophisticated attack techniques,” Microsoft said in a widely reported statement.
The hackers apparently tailored their “world-class capabilities specifically to target and attack FireEye” and are highly trained in operational security and executed with discipline and focus, Mandia noted. They operated clandestinely and used “a novel combination of techniques not witnessed by us or our partners in the past.”
The attack “is more proof that a motivated hacker will be able to compromise any organization, no matter how well it is protected,” Ilia Sotnikov, vice president of product management at Netwrix, told TechNewsWorld.
Netwrix develops change management software to help with security and compliance auditing.
‘Red Team’ Tools Accessed
It’s not quite clear what the hackers were after.
Mandia said they primarily sought information related to certain FireEye government customers, consistent with a nation-state espionage effort. FireEye has several government customers.
The hackers accessed some of FireEye’s internal systems, but so far there is no evidence that any data or metadata was stolen.
On the other hand, FireEye said in its Form 8-K, filed with the U.S. Securities and Exchange Commission, also on Dec. 8, that the hackers targeted and accessed “certain Red Team assessment tools” that mimic the behavior of many cyberthreat actors and are used to test FireEye customers’ security.
None of the tools contain zero-day exploits — attacks on a hardware or software vulnerabilities that are known only when they hit a victim.
“We are not sure if the attacker intends to use our Red Team tools or publicly disclose them,” FireEye stated.
“I assume that stolen FireEye Red Team assessment tools will be used…to create a malware that will exploit common vulnerabilities or tweak the existing malware to bypass cyber defense more efficiently,” Netwrix’s Sotnikov said.
FireEye has not seen any evidence that any attacker has used the stolen tools so far, but has developed more than 300 countermeasures to the stolen Red Team assessment tools for its customers and the community at large “out of an abundance of caution.”
These are being publicly released on the firm’s GitHub page. It has also implemented the countermeasures into its security products.
“Our number one priority is working to strengthen the security of our customers and the broader community,” Mandia stated. “We hope that by sharing the details of our investigation, the entire community will be better equipped to fight and defeat cyberattacks.”
FireEye and others in the security community will continue to keep an eye out for any use of the stolen tools.
The company will continue to share and refine any additional mitigations for those tools as they become available, both publicly and directly with its security partners.
Given that FireEye had developed 300 countermeasures and incorporated them into its security products, the attack must have occurred several months ago.
However, FireEye Director of Corporate Communications Melanie Lombardi declined to share further details about the hack with TechNewsWorld.
Impact of the Hack
“The FireEye hack is not the first to happen to a cybersecurity firm, but it can have a long-term effect on organizations worldwide,” Netwrix’s Sotnikov said.
“While not a direct comparison to the Shadow Brokers leak of stolen NSA tools in 2017, this attack can also make advanced attacking tools and techniques available to wider population of less sophisticated cybercriminals.”
The Shadow Brokers is a hacker group that published several leaks of hacking tools developed by the U.S. National Security Agency.
Vendors “should immediately take advantage of countermeasures offered by FireEye team and analyze the detections published on the company’s GitHub repository,” Sotnikov recommended.
Organizations “should keep an eye open for the updates for both security tools as well as other systems and applications to mitigate the possible risks, and consider patching immediately.” The risk of attacks using the stolen Red Teams tools is “quite real.”
FireEye, Inc. (Nasdaq: FEYE) shares were lower by 13 percent at the close of trading today following the announcement of the attack.