Cybersecurity firm FireEye, which is trusted by large corporations and U.S. federal government agencies, was hacked by a highly sophisticated threat actor, who made off with its hacking tools.
The firm and its cybersecurity partners believe that the security breach’s nature points to nation-state hackers backed by a powerful country with unmatched cyber-espionage capabilities. FireEye disclosed that the attacker also accessed internal systems seeking government-related customer information.
The attack is the latest high-profile security breach after ShadowBrokers stole the National Security Agency’s (NSA) cybersecurity tools in 2016. North Korea, Russia, and China exploited the stolen tools to execute attacks costing businesses more than $10 billion in losses.
FireEye CEO Kevin Mandia said the “highly sophisticated threat actor, one whose discipline, operational security, and techniques” were unparalleled, could only be a “nation with top-tier offensive capabilities.”
Mandia noted that the attack varied greatly from the “tens of thousands of incidents we have responded throughout the years.” He added that the security breach was specifically tailored “to target and attack FireEye” and was “executed with discipline and focus.”
“They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past,” Mandia said.
Speculations point to nation-state hackers with links to the Russian government. The FBI assigned the case to its Russia experts, thus strongly suggesting that Kremlin was involved.
The nation-state hackers stole FireEye’s custom Red Team tools during the security breach.
Consequently, the cybersecurity firm shared its indicators of compromise (IOC) and countermeasures to defeat intrusion by the nation-state hackers attempting to deploy the stolen cyber penetration tools.
“The stolen tools give the attackers another method to compromise government targets,” says Rick Holland, Chief Information Security Officer and Vice President Strategy at Digital Shadows.
“They can reserve their top-tier tools for ‘hard targets’ like the Department of Defense and potentially leverage these new tools against ‘soft targets’ like civilian government agencies.”
He adds that the tools give the attackers the necessary plausible deniability. Russia has faced severe consequences after the United States and the EU linked Kremlin to various security breaches.
“The unidentified thieves could use the stolen tools to imitate other countries’ tactics, adding a new layer to protect their true identities and intentions,” Holland says. “Stealing these tools also reduces operational costs as the nation-state actors don’t have to develop new software exploits and management tools for their intrusions.”
FireEye’s cybersecurity partners confirm the involvement of nation-state hackers
FireEye invited Microsoft and the FBI to analyze the security breach. The FBI is among FireEye’s top government customers, frequently contacting the cybersecurity firm to solve security breaches.
Microsoft confirmed that a nation-state actor was involved citing the sophisticated nature of the security breach. Microsoft’s spokesman Jeff Jones underscored the need for tech firms to collaborate in confronting similar attacks waged by “well-funded adversaries using novel and sophisticated attack techniques.”
FBI Cyber Division assistant director Matt Gorham described the security breach’s level of sophistication as being “consistent with a nation-state.”
“If a nation-state with all of its resources targets an organization, the chances are very high that the adversary will be successful,” Holland said. “Intelligence agencies can accomplish their missions, so defenders ultimately have to fall back to detection and response.”
Top cybersecurity firms breached by nation-state hackers
Nation-state hackers have targeted top cybersecurity firms for years with surprising degrees of success.
Israeli-backed nation-state hackers compromised Kaspersky Labs in 2015, while Chinese hackers breached RSA Security in 2011.
Avast has also experienced two security breaches originating from state-backed hackers in 2017 and 2019.
Hackers also leaked Symantec’s source code during the 2012 security breach. Various state-sponsored threat actors have also compromised McAfee and Trend Micro in the past.
“The adage, ‘those who live in glass houses, should not throw stones,’ applies here. Any organization can be compromised; it is how you respond to an intrusion that determines its severity,” says Holland.
Because of the prevalence of state-backed intrusions, cybersecurity professionals and prominent individuals lauded FireEye’s transparency.
Senate Select Committee on Intelligence Chairman Sen. Mark Warner (D-Va) praised the company for disclosing the breach. He hoped that “the company’s decision to disclose this intrusion serves as an example to others facing similar intrusions.”
“We have come to expect and demand that companies take real steps to secure their systems, but this case also shows the difficulty of stopping determined nation-state hackers,” Sen. Warner told ZDNet.
FireEye’s previous encounters with Russian and other nation-state hackers
FireEye’s incident response teams were involved in several investigations on state-sponsored hackers. In 2015 and 2016, FireEye accused Russian state-sponsored hackers working under the G.R.U. and the S.V.R of attacking the Ukrainian energy grid system during a conflict between the two nations.
Similarly, the California-based tech firm attributed the 2014 Sony hack to North Korea. In 2015, the State Department contracted FireEye after various agencies came under Russian-backed cyber intrusions.
The cybersecurity company also blamed Russia for the botched Saudi Arabia petrochemical plant hack in 2018. The attackers tried to blow up the Saudi facility to undermine its production capacity.
FireEye was also involved in securing the 2020 U.S. presidential elections from state-backed hackers attempting to influence the polls’ outcome. Some believe that the nation-state hackers took the opportunity to target the cybersecurity firm while it focused its attention elsewhere.
Revenge from Russian hackers could also be a possible motive after the firm implicated Moscow in various high-profile hacks.