FireEye says hackers stole its red-team tools, suggests state-sponsored group is to blame

Written by

FireEye, one of the most influential cybersecurity companies in the world, on Tuesday revealed that it had been breached by a suspected state-sponsored hacking group.

FireEye CEO Kevin Mandia said that the FBI and security experts at Microsoft were helping investigate the incident, in which attackers accessed the tools FireEye uses to simulate attacks against clients. “Their initial analysis supports our conclusion that this was the work of a highly sophisticated state-sponsored attacker utilizing novel techniques,” Mandia said in a blog post.

Attackers stole so-called red team tools, which security firms use to imitate real-world hacks on behalf of their clients. Such red team tools from a respected firm like FireEye would provide malicious attackers with a kind of roadmap on how to subvert defenses, and breach victims.

Mandia said his firm was taking the extraordinary step of developing “more than 300 countermeasures for our customers, and the community at large, to use in order to minimize the potential impact of the theft of these tools.”

FireEye did not identify a culprit in the breach. The company’s clients include Fortune 500 companies around the world. Any number of foreign intelligence services could find value in having access to FireEye’s security tools to probe target organizations in the public and private sectors.

“The FBI is investigating the incident and preliminary indications show an actor with a high level of sophistication consistent with a nation-state,” Matt Gorham, assistant director of the FBI Cyber Division, said in a statement. It is a rare case of the FBI commenting on an ongoing investigation.

The company is known for attributing attacks from suspected Russian, Chinese and North Korean hackers, among other groups. The firm is often called in to investigate high profile data breaches, like the 2014 breach against Sony Pictures.

The breach is reminiscent, in part, of the theft of hacking tools from the National Security Agency, which a mysterious group called the Shadow Brokers began leaking in 2016. Those tools were subsequently used in high-profile cyberattacks, such as the WannaCry ransomware attack.

Dmitri Alperovitch, co-founder of cybersecurity company CrowdStrike, pointed out that major security firms are frequent targets of state-linked hackers.

“We have come to expect and demand that companies take real steps to secure their systems, but this case also shows the difficulty of stopping determined nation-state hackers,” said Sen. Mark Warner, D-Va., vice chairman of the Senate Intelligence Committee. “As we have with critical infrastructure, we have to rethink the kind of cyber assistance the government provides to American companies in key sectors on which we all rely.”