FireEye, a $ 3.5 billion company that helps customers respond to some of the world's most sophisticated cyberattacks, has been hacked itself, most likely by a well-resourced nation-state using attack tools from the "red team" with which network defenses were pierced.
The revelation, made in a press release after the market closed on Tuesday, is a significant event. With a market cap of $ 3.5 billion and some of the most experienced people in the security industry, the company's defenses are formidable. Even so, attackers were able to dig into FireEye's heavily fortified network using techniques no one in the company had seen before.
The hack also makes it feel like a group that was already able to break into an organization using FireEye's security skills and resources now has proprietary attack tools, a theft that makes the hackers an even greater threat to Companies around the world could do. According to FireEye, the stolen tools did not contain zero-day exploits. FireEye shares fell about 7 percent in expanded trading after the disclosure.
To date, the company has seen no evidence that the tools are actively being used in the wild and is unsure whether the attackers intend to use them. Such tools are used by so-called red teams who mimick malicious hackers in training exercises that simulate real-world hack attacks. FireEye has released a variety of signatures and other countermeasures that customers can use to identify and block the attacks if the tools are used. Some researchers who checked the countermeasures appeared to show that the tools weren't particularly delicate.
Tuesday's release was written by Kevin Mandia, FireEye CEO. He wrote:
With 25 years of cybersecurity and incident response experience, I have come to the conclusion that we are witnessing an attack by a nation with world-class offensive skills. This attack is different from the tens of thousands of incidents we have responded to over the years. The attackers tailored and attacked their world-class skills specifically for FireEye. They are highly qualified in operational safety and are carried out with discipline and focus. They secretly worked with methods that counteract security tools and forensic investigations. They used a novel combination of techniques that we or our partners have not seen in the past.
We are actively investigating in coordination with the Federal Bureau of Investigation and other key partners, including Microsoft. Your initial analysis supports our conclusion that this was the work of a sophisticated government sponsored attacker employing novel techniques.
The attacker was primarily looking for information on some of FireEye's government customers, but it is not yet clear whether they were successful. According to Mandia, FireEye has found no evidence that the hackers filtered data from the company's primary systems, which stored customer information from incident responses or consulting assignments. Nor is there any evidence that the attackers received any metadata gathered from threat intelligence.
FireEye did not provide any details on the origin of the attackers other than that the evidence strongly suggested that they were sponsored by a nation state. The New York Times reported that the FBI turned the investigation over to its Russian specialists, suggesting that the Kremlin was behind the hack.
The Washington Post went a step further, quoting an unnamed source who said the hack was the work of Russian SVR intelligence. If so, it means the hackers belong to a group that falls under a wide variety of monikers, including APT 29, Cozy Bear, and the Dukes. The group, which was one of two Russian hacking outfits that broke the Democratic National Committee in 2016, is affiliated with the country's, according to security firm CrowsStrike.
The FBI rarely confirms investigations, even if the victims have already reported them. On Tuesday, Matt Gorham, assistant director of the FBI's cyber division, issued a statement that read in part: "The FBI is investigating the incident and preliminary evidence shows that an actor with a high degree of sophistication is compatible with a nation-state." "
Meanwhile, Senator Mark R. Warner (D-VA), vice chairman of the Senate Select Committee on Intelligence and co-chairman of the Senate Cybersecurity Caucus, issued a statement stating, "A cybersecurity leader's hack shows it itself the most demanding companies are vulnerable to cyber attacks. I applaud FireEye for posting this news quickly, and I hope that the company's decision to disclose this disruption will serve as an example to others who may experience similar disruptions. "
FireEye is hardly the only security company to have suffered a malicious hack. In 2011, RSA stated that it was in a breach that allowed attackers to steal data that "could potentially be used to reduce the effectiveness of a current two-factor authentication implementation." This statement proposed the information about the company's SecurID product. The goal was to be used by 40 million people at that time.
In 2013, crooks broke into Bit9, stole one of its cryptographic certificates and infected three of its customers with malware.
And in 2015, Kaspersky Lab announced that Stuxnet-derived malware – the malware the US and Israel reportedly unleashed on Iran – had infected its network and went undetected for months.