Premiere security firm FireEye says it was breached by nation-state hackers | GeekComparison

Stylized photo of desktop computer.

FireEye, a $3.5 billion company that helps customers respond to some of the world’s most sophisticated cyber-attacks, has itself been hacked, most likely by a well-endowed nation-state who made off with “red-team” attack tools used to break through the network defenses.

The revelation, made in a press release posted Tuesday after the stock markets closed, is a major event. With a market cap of $3.5 billion and some of the most experienced employees in the security industry, the company’s defense is formidable. Despite this, attackers were able to penetrate FireEye’s heavily fortified network using techniques no one in the company had ever seen before.

The hack also raises the specter that a group already able to penetrate a business with FireEye’s security skills and resources now possess its own attack tools, a theft that makes the hackers an even greater threat to organizations across the globe. whole world could make. FireEye said the stolen tools contained no zero-day exploits. FireEye shares fell about 7 percent in extended trading following the disclosure.

So far, the company has seen no evidence of the tools being actively used in the wild and is unsure if the attackers intend to use them. Such tools are used by so-called red teams, who emulate malicious hackers in training exercises that simulate real hacking attacks. FireEye has released a wealth of signatures and other countermeasures that customers can use to detect and thwart attacks if the tools are used. Some researchers who reviewed the countermeasures said they seemed to show that the tools were not particularly sensitive.

Tuesday’s release was written by FireEye CEO Kevin Mandia. He wrote:

Based on my 25 years in cybersecurity and incident response, I have come to the conclusion that we are witnessing an attack by a nation with offensive capabilities of the highest order. This attack is unlike the tens of thousands of incidents we have responded to over the years. The attackers have modified their world-class abilities specifically to target and attack FireEye. They are highly trained in operational security and are executed with discipline and focus. They operated clandestinely, using methods that countered security tools and forensics. They used a new combination of techniques that have not been seen by us or our partners in the past.

We are actively conducting investigations in conjunction with the Federal Bureau of Investigation and other key partners, including Microsoft. Their initial analysis supports our conclusion that this was the work of a highly sophisticated state-sponsored attacker using new techniques.

The attacker was primarily looking for information related to some of FireEye’s government customers, but it’s not yet clear if they succeeded. Mandia said FireEye found no evidence that the hackers exfiltrated data from the company’s primary systems that store customer information from incident responses or consulting engagements. There is also no evidence that the attackers obtained any metadata collected by threat intelligence products.

FireEye gave no details about the attackers’ origins, except that the evidence strongly suggested they were sponsored by a nation-state. The New York Times reported that the FBI has turned the investigation over to its Russian specialists, suggesting the Kremlin is behind the hack.

The Washington Post took it a step further, quoting an anonymous source who said the hack appeared to be the work of Russia’s SVR intelligence agency. If true, it means the hackers belong to a group that goes by several names, including APT 29, Cozy Bear, and the Dukes. The group, which was one of two Russian hacking outfits to breach the Democratic National Committee in 2016, is linked to the country’s, according to security firm CrowsStrike.

The FBI rarely confirms investigations, even if they have already been reported by the victims. However, on Tuesday, Matt Gorham, the deputy director of the FBI’s cyber division, issued a statement that read in part: “The FBI is investigating the incident and preliminary indications show an actor with a high level of sophistication consistent with a nation-state. “

Meanwhile, Sen. Mark R. Warner (D-VA), the vice chair of the Senate Select Committee on Intelligence and co-chair of the Senate Cybersecurity Caucus, issued a statement saying, “The hack of a leading cybersecurity company shows that even the most sophisticated companies are vulnerable to cyber attacks. I applaud FireEye for breaking this news so quickly, and I hope the company’s decision to disclose this breach serves as an example to others facing similar breaches.”

FireEye isn’t the only security company to have suffered a malicious hack. In 2011, RSA said it was hit by a breach that allowed attackers to steal data that “could potentially be used to diminish the effectiveness of a current two-factor authentication implementation,” a statement suggesting that the information related to the company’s SecurID product the company, used by 40 million people at the time, had been targeted.

In 2013, crooks broke into Bit9, stole one of its cryptographic certificates and used it to infect three of its customers with malware.

And in 2015, Kaspersky Lab revealed that malware originating from Stuxnet — the malware the US and Israel allegedly unleashed on Iran — had infected its network and went unnoticed for months.

Leave a Comment