Image: Rafael Henrique/SOPA Images/LightRocket via Getty Images
FireEye, a top-end cybersecurity firm that works to protect government and corporate systems alike, itself announced on Tuesday it was the target of what it described as hackers from “a nation with top-tier offensive capabilities,” with the hackers stealing FireEye’s own offensive tools which could be used for future hacking operations.
The news highlights how those in the cybersecurity industry can also be the target of hackers, and in particular, those who may hold valuable hacking techniques.
“This attack is different from the tens of thousands of incidents we have responded to throughout the years,” FireEye CEO Kevin Mandia wrote in a blog post. “The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past.”
Specifically, the announcement said FireEye found the hackers stole “Red Team assessment tools,” tools that are used to offensively test systems’ security for the benefit of customers who want to make sure that their defenses could withstand a real attack. In response, FireEye released methods for detecting the use of such tools, presumably in case the hackers decide to use them in the future.
“We are not sure if the attacker intends to use our Red Team tools or to publicly disclose them. Nevertheless, out of an abundance of caution, we have developed more than 300 countermeasures for our customers, and the community at large, to use in order to minimize the potential impact of the theft of these tools,” Mandia’s post added.
The FireEye announcement added that the attacker primarily sought out information related to “certain government customers.”
“While the attacker was able to access some of our internal systems, at this point in our investigation, we have seen no evidence that the attacker exfiltrated data from our primary systems that store customer information from our incident response or consulting engagements or the metadata collected by our products in our dynamic threat intelligence systems,” it added.
The case bears some similarities to that of a theft of offensive hacking tools used by the NSA. In 2016, a group of self-described hackers calling themselves the Shadow Brokers started to publicly release powerful exploits stolen from the agency. Microsoft issued patches for a number of the underlying vulnerabilities, but other hackers were still able to adapt and use the exploits for their own purposes. Famously, the WannaCry ransomware attack, which devastated networks across the world, including in hospitals, made use of code the Shadow Brokers released. Multiple private and government entities have attributed the WannaCry attacks to hackers working on behalf of North Korea.
The Shadow Brokers dump included zero day exploits, which take advantage of vulnerabilities which, at the time of release, impacted manufacturers were not aware of, and so couldn’t create a patch. FireEye’s announcement said its own stolen toolkit did not include zero day exploits.
FireEye has been involved in responding to some of the most high profile hacks stretching back years, including Sony, Equifax, and Anthem.
“We have come to expect and demand that companies take real steps to secure their systems, but this case also shows the difficulty of stopping determined nation-state hackers. As we have with critical infrastructure, we have to rethink the kind of cyber assistance the government provides to American companies in key sectors on which we all rely,” Senator Mark Warner said in a statement reacting to news of the hack.