FireEye, one of the world’s largest cyber security firms, announced on Tuesday that it had been hacked by ‘a highly sophisticated state-sponsored adversary’, which sources say is likely to be Russia.
The company announced the breach in a blog post revealing the attackers stole valuable hacking tools – known as Red Team tools – which are used by FireEye to test its own customers’ computer networks for weaknesses to attack.
It did not say when the hack happened or who it applied to but that it was ‘state sponsored’ and ‘a nation with top-tier offensive capabilities.’
FireEye didn’t label Russia as the culprit but the investigation is being handled by the FBI’s Russia specialists and sources told multiple news outlets the nation’s intelligence service is thought to be behind the attack.
FireEye is now working with the FBI as well as Microsoft to investigate the attack, amid fears that the tools falling into the wrong hands could be used to mount fresh attacks on governments and big businesses worldwide.
FireEye, one of the largest cyber security firms in the world, has been hacked
According to a source close to the investigation, the hackers were extraordinarily precise and specifically targeted FireEye.
‘This was a sniper shot that got through,’ the source told the Wall Street Journal.
Kevin Mandia, FireEye’s CEO who is also a former Air Force Officer, said the attack was ‘top-tier’.
‘Recently, we were attacked by a highly sophisticated threat actor, one whose discipline, operational security, and techniques lead us to believe it was a state-sponsored attack.
‘We are witnessing an attack by a nation with top-tier offensive capabilities.
‘This attack is different from the tens of thousands of incidents we have responded to throughout the years,’ he wrote in the blog post.
Though Mandia stopped short of pointing the blame at Russia, sources said the investigation so far indicates the nation is behind the attack.
A motive for the attack is unclear but FireEye does have a history with Russia.
FireEye CEO Kevin Mandia said the attack was carried out by ‘world class’ operatives
The cyber security company previously exposed the nation for being behind several high-profile attacks in recent years including a breach on the US State Department in 2015 and multiple breaches on the Ukraine power grid.
Investigators are said to be exploring the possibility the attack on FireEye is connected to a separate Russian state-sponsored attack the NSA warned about this week.
On Monday, the NSA urged companies to update their VMWare products because ‘Russian state-sponsored malicious cyber actors’ are seeking to exploit vulnerabilities in the systems.
The same day as the FireEye attack, Russia’s National Association for International Information Security held a security forum where they insisted there was no evidence to show Russia was behind recent cyber attacks.
Mandia said FireEye’s hacker primarily sought information related to certain government customers, something he said is ‘consistent with a nation-state cyber-espionage effort’.
The hackers accessed the company’s Red Team tools which, they say, ‘apply well-known and documented methods that are used by other red teams around the world.’
The culprit made off with a significant number of its cyber security tools but none of the tools contained zero-day exploits – where a vulnerability is found in a system by a hacker and exploited before the company realizes something is wrong and can fix it.
So far there is no evidence that the attacker removed data from the FireEye’s primary systems that store customer information, Mandia said.
Shares in FireEye plummeted by 7.22 percent in extended trading Tuesday to a low of $14.14 per unit after the news broke of the breach
He added that customers would be notified directly if this did turn out to be the case.
At this point, none of the information that has been compromised has been used but Mandia said there was no way of knowing what the hackers wanted to do with it.
‘It’s important to note that FireEye has not seen these tools disseminated or used by any adversaries, and we will continue to monitor for any such activity along with our security partners,’ Mandia said.
The attacker could plan to use the tools themselves or to publicly disclose them.
Gregory Touhill, president of AppGate Federal Group and former federal chief information security officer, told the Washington Post the state behind the attack might want to find out what FireEye knows about its capabilities in order to protect itself, or it could use the tools to look for weaknesses to exploit in others.
FireEye has developed and issued more than 300 counter measures for its customers to try to limit the damage.
Shares in the company plummeted by 7.22 percent in extended trading Tuesday to a low of $14.14 per unit after the news broke of the breach.
An FBI spokesman said in a statement it is investigating the attack but also refrained from naming Russia as the prime suspect.
‘The FBI is investigating the incident and preliminary indications show an actor with a high level of sophistication consistent with a nation state.
‘It is important to note that our adversaries are continuously looking for US networks to exploit.
FireEye didn’t label Russia as the culprit but the investigation is being handled by the FBI’s Russia specialists and sources told multiple news outlets the nation’s intelligence service is thought to be behind the attack
‘That is why we are focused on imposing risk and consequences on malicious cyber actors, so they think twice before attempting an intrusion in the first place; why we are focused on quickly responding to victims and providing organizations with the information they need to defend their networks; and we are encourage anyone that notices suspicious activity to notify the FBI or the USSS.’
The nation’s Cybersecurity and Infrastructure Security Agency said Tuesday that it had no reports of FireEye’s tools being used maliciously, but warned that ‘unauthorized third-party users could abuse these tools to take control of targeted systems.’
Virginia Senator Mark Warner applauded FireEye for publicly disclosing the breach.
‘We have come to expect and demand that companies take real steps to secure their systems, but this case also shows the difficulty of stopping determined nation-state hackers,’ the Democrat said in a statement.
FireEye is one of the world’s top cyber security firms and has more than 9,600 clients including Sony and Equifax.
The company also has a partnership with the Department of Homeland Security.
The DHS has incorporated the countermeasures into its products already, FireEye said Tuesday.
FireEye has long been the cyber company of choice for government agencies and big corporations to both protect them from attack and track down the culprits when an attack does take place.
According to a source close to the investigation, the hackers were extraordinarily precise. ‘This was a sniper shot that got through,’ they said
The company’s tools are used to simulate cyber attacks on its customers to identify weaknesses in their systems that can then be better protected.
Meanwhile, the firm is also often brought in to investigate attacks on companies and government agencies.
It has been at the forefront of investigating sophisticated state-backed hacking groups, including Russian groups trying to break into state and local governments in the US that administer elections.
FireEye is credited with uncovering that Russian military hackers were behind 2015 and 2016 attacks on Ukraine’s energy grid and that Russia was behind an attack on the US State Department in 2015.
It has also worked with Sony on its 2014 attack that later turned out to come from North Korea and the investigation into the 2017 attack on Equifax.
Tuesday’s announcement that one of the top cyber security firms in the world that works to protect and advise customers on attacks has itself fallen foul to a breach shows the sophisticated nature of the hacker.
It also comes at a time when the US has been focusing on breaches related to voting in the presidential election.
The recent attack is the biggest theft of cyber security tools since the National Security Agency was hacked and had its tools stolen in 2016, according to the New York Times.
The stolen tools later ended up dumped online over a number of months leaving the NSA as well as several government agencies open to attack.
FireEye is based in California and is worth $3.5billion. In 2013, the company acquired cyber firm Mandiant which was set up by Mandia in 2004. Mandia then became CEO of FireEye in 2016.
This content was originally published here.