FireEye says it was hacked by a government
Milpitas cybersecurity firm FireEye said Tuesday that it was hacked by what could only be a government with “worldclass capabilities,” and the hackers stole tools the company uses to test the strength of customers’ defenses.
“I’ve concluded we are witnessing an attack by a nation with toptier offensive capabilities,” FireEye CEO Kevin Mandia said in a statement. “This attack is different from the tens of thousands of incidents we have responded to throughout the years.“
He did not indicate who might be responsible or say when the company detected the hack. Phone calls to company officials were not immediately returned.
The stolen “red team” tools could be dangerous in the wrong hands, though FireEye said there’s no indication they have been used. The company said it developed 300 countermeasures to protect customers and others from them and was making them immediately available.
The hackers “primarily sought information related to certain government customers,” Mandia said, without naming them. He said there was no indication that customer information obtained from FireEye’s consulting or incident response businesses were accessed by the hackers.
The publicly traded cybersecurity company has been at the forefront of investigating sophisticated statebacked backing groups, including Russian groups trying to break into state and local governments in the U. S. that administer elections. Many of those state and local governments are FireEye customers.
Among attributions credited to FireEye was that Russian military hackers were behind 2015 and 2016 attacks on Ukraine’s energy grid.
FireEye said it is investigating the attack in coordination with the FBI and partners such as Microsoft, which has its own cybersecurity team. Mandia said the hackers used “a novel combination of techniques not witnessed by us or our partners in the past.”
Matt Gorham, assistant director of the FBI’s cyber division, said “preliminary indications show an actor with a high level of sophistication consistent with a nation state” was involved. He said the government is “focused on imposing risk and consequences on malicious cyber actors, so they think twice before attempting an intrusion in the first place.”
That has included what the U. S. Cyber Command terms “defending forward” operations, which include penetrating networks of adversaries, including Russia.
The nation’s Cybersecurity and Infrastructure Security Agency said Tuesday that it has not received reporting of FireEye’s stolen tools being used maliciously, but warned that “unauthorized thirdparty users could abuse these tools to take control of targeted systems.“
Sen. Mark Warner, DVa., who is on the Senate’s intelligence committee, applauded FireEye for quickly disclosing the intrusion.
“We have come to expect and demand that companies take real steps to secure their systems, but this case also shows the difficulty of stopping determined nationstate hackers,” Warner said in a statement.
Cybersecurity expert Dmitri Alperovitch said he was not surprised by the announcement because companies like FireEye are top targets.
“Every security company is being targeted by nationstate actors. This has been going on got over a decade now,” said Alperovitch, cofounder and former chief technical officer of Crowdstrike, which investigated the 2016 Russian hack of the Democratic National Committee and Hillary Clinton’s campaign.
He said the release of the “redteam” tools, though a serious concern, was “not the end of the world because threat actors always create new tools.”
“This could have been much worse if their customer data had been hacked and exfiltrated. So far there is no evidence of that,” Alperovitch said.