FireEye, a $3.5 billion company that helps customers respond to some of the world’s most sophisticated cyberattacks, has itself been hacked, most likely by a well-endowed nation-state that made off with potent “red-team” attack tools used to pierce network defenses.
The revelation, made in a press release posted after the close of stock markets on Tuesday, is a stunning development. It suggests that a group that was already capable of penetrating a company with FireEye’s security prowess and resources is now in possession of new exploits, backdoor implants, or other tools, making the hackers an even greater threat to organizations all over the world. FireEye said the stolen tools didn’t included any zeroday exploits.
So far, the company has seen no evidence that the tools are actively being used in the wild and isn’t sure if the attackers plan to use them. Nonetheless, FireEye said it is releasing more than 300 countermeasures that customers can use to protect themselves in the event that the tools are used. Such tools are used by so-called red teams, which mimic malicious hackers in training exercises that simulate real-world hack attacks.
Tuesday’s release was written by FireEye CEO Kevin Mandia. He wrote:
Based on my 25 years in cyber security and responding to incidents, I’ve concluded we are witnessing an attack by a nation with top-tier offensive capabilities. This attack is different from the tens of thousands of incidents we have responded to throughout the years. The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past.
We are actively investigating in coordination with the Federal Bureau of Investigation and other key partners, including Microsoft. Their initial analysis supports our conclusion that this was the work of a highly sophisticated state-sponsored attacker utilizing novel techniques.
The attacker primarily sought information related to some of FireEye’s government customers, but it’s not clear yet if they succeeded. Mandia said FireEye has found no evidence that the hackers exfiltrated data from the company’s primary systems that store customer information from incident responses or consulting engagements. There’s also no evidence that the attackers obtained metadata collected by threat-intelligence products.
FireEye provided no details about the origin of the attackers beyond saying the evidence strongly suggested they were sponsored by a nation-state. The New York Times reported that the FBI has turned over the investigation to its Russian specialists, suggesting that the Kremlin is behind the hack.
This is a developing story.