Breach, Data Security, Vulnerability Management

FireEye hacked, red team tools stolen

Kevin Mandia, CEO of FireEye, testifies before the Senate Intelligence Committee. FireEye announced it has purchased Respond Software, startup that sells machine learning and automated, cloud-based investigation, detection and response services.   (Photo by Win McNamee/Getty Images)

FireEye, one of the premiere global threat intelligence and cybersecurity companies, had its offensive security tools stolen by hackers, the company announced.

In a blog posted Tuesday, CEO Kevin Mandia said the company was recently attacked “by a highly sophisticated threat actor” that reflects the techniques, discipline and operational security of one of the nation state hacking groups FireEye regularly tracks for its customers. The company alerted the Securities and Exchange Commission in a filing the same day.

“I’ve concluded we are witnessing an attack by a nation with top-tier offensive capabilities,” Mandia wrote. “This attack is different from the tens of thousands of incidents we have responded to throughout the years. The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past.”

Their target was apparently the company’s coveted red team kits, a set of offensive security tools the company uses to mimic threat actors and test the security of its client networks. None used zero day exploits – or publicly unknown software vulnerabilities without a patch. As a result, Mandia said the company has implemented countermeasures in their products and publicly released internal research that can be used to detect the use of FireEye tools in the wild.

Mandia believes the motive for the attack was espionage, particularly information around FireEye’s work with government agencies. As of now there is no indication that customer information or data from the company’s incident responses were stolen, though firms like FireEye are often the first to warn that it can be difficult to definitively assess that in the immediate aftermath of an attack.

Threat intelligence firms often say a company's threat model – or who in the cybercriminal or APT ecosystem has the means, motive and capability to target your organization – matters just as much as your security. By that logic a company like FireEye, which responds to hundreds of intrusions and penetrations across its customer base each year, would hold information that is valuable to many foreign governments.

Dmitri Alperovitch, chairman of the Silverado Policy Accelerator and former chief technology officer for threat intelligence firm CrowdStrike, said it's "important to remember that no one is immune" to the threat of being breached, even companies that offer cybersecurity services.

"Security companies are a prime target for nation-state operators for many reasons, but not least of all is ability to gain valuable insights about how to bypass security controls within their ultimate targets," Alperovitch tweeted shortly after the news went public.

It's not clear exactly when the attack happened or the specific capabilities of the stolen tools. The Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security said it has yet to see the tools used in the wild, but urged practitioners to be on their guard.

“Although [CISA] has not received reporting of these tools being maliciously used to date, unauthorized third-party users could abuse these tools to take control of targeted systems,” the agency said in an alert.

In a statement, Sen. Mark Warner, D-Va., co-chairman of the Senate Select Committee on Intelligence, applauded FireEye's transparency in the wake of the hack and said he hoped it served as an example to future companies. He also said it underscores the interconnected interest between U.S. companies and the government in beating back cyber attacks from foreign governments.

“We have come to expect and demand that companies take real steps to secure their systems, but this case also shows the difficulty of stopping determined nation-state hackers," said Warner. "As we have with critical infrastructure, we have to rethink the kind of cyber assistance the government provides to American companies in key sectors on which we all rely.”

FireEye Inc. FEYE, -11.47% shares dropped in the extended session Tuesday after the cybersecurity company said sophisticated hackers accessed its tools used to test its customers’ security.

FireEye stock price took a hit following news of the cyberattack, with shares falling 7 percent after hours and continuing to decline in early hours of Wednesday trading.

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.