FireEye Says ‘Sophisticated’ Hacker Stole Red Team Tools
Cybersecurity Firm Shares Countermeasures With Partners and Government Agencies to Blunt the Effects of the Breach
Cybersecurity powerhouse FireEye late Tuesday acknowledged that a “highly sophisticated” threat actor broke into its corporate network and stole a range of automated hacking tools and scripts.
The breach, likely the work of a nation-state backed actor, follows a pattern of advanced threat actors targeting security vendors. FireEye said the stolen red-team tools are publicly available and have been modified to evade basic security detection mechanisms.
“Because we believe that an adversary possesses these tools, and we do not know whether the attacker intends to use the stolen tools themselves or publicly disclose them, FireEye is releasing hundreds of countermeasures with this blog post to enable the broader security community to protect themselves against these tools,” FireEye said in a blog post announcing the intrusion.
“We have incorporated the countermeasures in our FireEye products—and shared these countermeasures with partners, government agencies—to significantly limit the ability of the bad actor to exploit the Red Team tools,” the company added.
FireEye said the tools stolen by the attacker did not contain zero-day exploits. “The tools apply well-known and documented methods that are used by other red teams around the world.
“Although we do not believe that this theft will greatly advance the attacker’s overall capabilities, FireEye is doing everything it can to prevent such a scenario,” it added.
FireEye CEO Kevin Mandia said the company was specifically targeted by the attacker. “Based on my 25 years in cyber security and responding to incidents, I’ve concluded we are witnessing an attack by a nation with top-tier offensive capabilities,” Mandia said in a separate statement.
“This attack is different from the tens of thousands of incidents we have responded to throughout the years. The attackers tailored their world-class capabilities specifically to target and attack FireEye,” he added.
Mandia also disclosed that the attacker primarily sought information related to “certain government customers.”
“While the attacker was able to access some of our internal systems, at this point in our investigation, we have seen no evidence that the attacker exfiltrated data from our primary systems that store customer information from our incident response or consulting engagements, or the metadata collected by our products in our dynamic threat intelligence systems. If we discover that customer information was taken, we will contact them directly,” the chief executive added.
FireEye isn’t the first big-name security vendor to suffer a breach at the hands of nation-state backed threat actors. In 2015, Kaspersky acknowledged its network was compromised by a threat actor known publicly as Duqu and linked to a nation-state.
“If a nation-state with all of its resources targets an organization, the chances are very high that the adversary will be successful,” Rick Holland, Chief Information Security Officer, Vice President Strategy at Digital Shadows, told SecurityWeek. “Intelligence agencies can accomplish their missions, so defenders ultimately have to fall back to detection and response. The adage, ‘those who live in glass houses should not throw stones,’ applies here. Any organization can be compromised; it is how you respond to an intrusion that determines its severity.”
“Hopefully, these tools don’t make their way into the public’s hands,” Holland continued. “We have seen the damaging impact of Hacking Team and the NSA’s EternalBlue tool leaks/disclosures. If these tools become widely available, this will be another example of the attackers’ barrier to entry getting lower and lower. The bottom line here: these tools making into the wrong hands will make defenders’ lives more challenging.”
Shares of publicly traded FireEye (NASDAQ: FEYE) were trading down nearly 8% in after hours trading Tuesday, after enoying a recent rise following a $400 million strategic investmentled by investment giant Blackstone announced in late November.