Cybersecurity corp FireEye has confessed its most secure servers have been compromised, almost certainly by state-backed hackers who then made away with its proprietary hacking tools.
“Recently, we were attacked by a highly sophisticated threat actor, one whose discipline, operational security, and techniques lead us to believe it was a state-sponsored attack,” a memo by its CEO Kevin Mandia on Tuesday read.
The tools stolen are used by FireEye to test their customers’ networks to find potential security holes, making it doubly embarrassing for the tech giant because, presumably, it uses its own tools to make sure its networks are secure. No nation state was named by FireEye though Russian involvement is suspected by the usual anonymous sources.
In an effort to save face, Mandia went to some trouble to outline just how good the hackers were and the extraordinary lengths they must have gone to in order to pull down its pants in public, spank it on the bottom, and then run away laughing while FireEye was standing at a lectern telling everyone why they needed to hire the company to protect their networks.
Roaring trade in zero-days means more vulns are falling into the hands of state spies, warn security researchers
“I’ve concluded we are witnessing an attack by a nation with top-tier offensive capabilities. This attack is different from the tens of thousands of incidents we have responded to throughout the years,” he opined.
“The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past.”
FireEye didn’t say exactly when it noticed the hack but noted it had already run an analysis with the FBI and Microsoft and concluded that it “was the work of a highly sophisticated state-sponsored attacker utilizing novel techniques.” The FBI confirmed as much in its own brief statement.
Red Team red teamed
As for hacking tools stolen, Mandia said: “We have found that the attacker targeted and accessed certain Red Team assessment tools that we use to test our customers’ security. These tools mimic the behavior of many cyber threat actors and enable FireEye to provide essential diagnostic security services to our customers.”
Fortunately none of those tools contain zero-day exploits, at least according to FireEye, and it said it has yet to detect the tools being used elsewhere. It has published ways to detect its own tools being used, as well as countermeasures, so others can keep an eye out for the misuse of its software. One imagines that means FireEye will have to come up with new tools for performing penetration tests for customers, otherwise its clients’ IT teams could detect and thwart them quite easily from these countermeasures.
“We are not sure if the attacker intends to use our Red Team tools or to publicly disclose them,” he noted. “Nevertheless, out of an abundance of caution, we have developed more than 300 countermeasures for our customers, and the community at large, to use in order to minimize the potential impact of the theft of these tools.”
If the stolen tools are leaked, the impact could still be significant. Would-be hackers could use the pilfered tech to hone their evasion and exfiltration techniques and exploits to ensure they aren’t detectable by FireEye’s code, and so greatly increase the chances of successfully breaking in others’ networks.
Publicly listed company FireEye, worth around $3.5bn, is often the company called in to deal with massive security breaches – it dealt with both the Sony and Equifax hacks – and it goes to significant lengths to protect its tools, making their loss that much worse.
As to the goal of the hack, FireEye says it “primarily sought information related to certain government customers” and noted that “while the attacker was able to access some of our internal systems, at this point in our investigation, we have seen no evidence that the attacker exfiltrated data from our primary systems that store customer information from our incident response or consulting engagements, or the metadata collected by our products in our dynamic threat intelligence systems.”
So, you know, not a big deal at all. In fact, it’s absolutely fine and FireEye is only going to get bigger and stronger as a result, Mandia shakily insisted: “We have learned and continue to learn more about our adversaries as a result of this attack, and the greater security community will emerge from this incident better protected. We will never be deterred from doing what is right.”
The company published the chief exec’s note, and a related SEC filing, just minutes before the stock market closed. Its share price has fallen by more than seven per cent in after-hours trading. ®