Security firm admits company tools used to test customers’ security have been stolen by a “highly sophisticated threat actor”
US-based security specialist FireEye has admitted on Tuesday that it has been attacked “by a highly sophisticated threat actor.”
Indeed, so sophisticated was the attack, FireEye has publicly warned that it believes it “was a state-sponsored attack.”
And to make matters worse, it seems that the company’s arsenal of hacking tools (used to test the cyber defences of clients), have been stolen.
FireEye made the admission in a blog post on Tuesday by CEO Kevin Mandia. The firm has also made a relevant declaration with the US Securities and Exchange Commission.
“Recently, we were attacked by a highly sophisticated threat actor, one whose discipline, operational security, and techniques lead us to believe it was a state-sponsored attack,” wrote Mandia.
“Based on my 25 years in cyber security and responding to incidents, I’ve concluded we are witnessing an attack by a nation with top-tier offensive capabilities,” he added. “This attack is different from the tens of thousands of incidents we have responded to throughout the years. The attackers tailored their world-class capabilities specifically to target and attack FireEye.”
“They are highly trained in operational security and executed with discipline and focus,” said Mandia. “They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past.”
Mandia said that both FireEye and the FBI and other key partners including Microsoft, are investigating the attack.
He said their initial analysis supports its conclusion that this was the work of a highly sophisticated state-sponsored attacker.
And matters are even worse, when Mandia revealed that FireEye’s internal hacking tools had been compromised.
“During our investigation to date, we have found that the attacker targeted and accessed certain Red Team assessment tools that we use to test our customers’ security,” warned Mandia. “These tools mimic the behaviour of many cyber threat actors and enable FireEye to provide essential diagnostic security services to our customers. None of the tools contain zero-day exploits.”
He said that FireEye is now “proactively releasing methods and means to detect the use of our stolen Red Team tools.”
“We are not sure if the attacker intends to use our Red Team tools or to publicly disclose them,” wrote Mandia. “Nevertheless, out of an abundance of caution, we have developed more than 300 countermeasures for our customers, and the community at large, to use in order to minimize the potential impact of the theft of these tools.”
Mandia also noted that so far FireEye has “seen no evidence to date that any attacker has used the stolen Red Team tools”, but it and the industry will continue to monitor the situation.
And Mandia also said that the hackers seemed to be especially interested in FireEye’s work with government departments.
“Consistent with a nation-state cyber-espionage effort, the attacker primarily sought information related to certain government customers,” wrote Mandia. “While the attacker was able to access some of our internal systems, at this point in our investigation, we have seen no evidence that the attacker exfiltrated data from our primary systems that store customer information from our incident response or consulting engagements, or the metadata collected by our products in our dynamic threat intelligence systems.”
Shares in FireEye reportedly dropped 8 percent in after-hours trading, after the admission.
In August last year FireEye warned that APT41, one of the most effective hacking teams backed by the Chinese government, also dabbled in cyber crime operations for cash.
Its research had found that that members of API41 carried out state-sponsored espionage activity in parallel, along with with financially motivated operations.
But at least one security expert said the attack raised many questions, and FireEye has a duty to be completely transparent about the incident.
“The incident seems to be quite mysterious and obscure,” Ilia Kolochenko from ImmuniWeb told Silicon UK. “On one side, FireEye readily talks about a ‘highly sophisticated state-sponsored adversary’, on the other, says that ‘no 0days’ or otherwise highly valuable data was stolen.”
“Why would a nation-state APT ever bother to expose their own 0days and advanced hacking techniques to get a collection of semi-public Red Teaming tools?” he asked.
“A wide spectrum of vital questions likewise remains unanswered: when did this incident happen, which systems are impacted, what are the chances that clients’ data was compromised?” Kolochenko said.
“We cannot exclude a probability that this specific incident was merely a smokescreen aimed to distract FireEye from a more important attack targeting clients’ data or ultra-confidential private research,” he concluded. “More transparency is expected from FireEye to dispel the doubts and bring clarity.”