Top cybersecurity firm FireEye hacked by a nation-state actor

Pierluigi Paganini December 08, 2020

The cyber security giant FireEye announced that it was hacked by nation-state actors, likely Russian state-sponsored hackers.

The cybersecurity firm FireEye is one of the most prominent cybersecurity firms, it provides products and services to government agencies and companies worldwide.

The company made the headlines because it was the victim of a hack, and experts blame Russia-linked hackers for the attack.

“FireEye revealed on Tuesday that its own systems were pierced by what it called “a nation with top-tier offensive capabilities.” The company said hackers used “novel techniques” to make off with its own tool kit, which could be useful in mounting new attacks around the world.” reported The New York Times.

The company notifies law enforcement, the F.B.I. launched an investigation into the hack.

“Recently, we were attacked by a highly sophisticated threat actor, one whose discipline, operational security, and techniques lead us to believe it was a state-sponsored attack.” reads a post published by FireEye.

The security firm did not attribute the attack to a specific actor, but the NYT pointed out that the F.B.I. agents involved in the investigation were Russia specialists.

The intruders were interested in gathering info about the tools used by the company, so-called “Red Team tools.” Red Team tools are custom-tools developed from malware spotted by the company in attacks in the wild.

The Red Team tools could replicate the most sophisticated hacking tools in the world and are used by the company for penetration testing and vulnerability assessment on the systems of the FireEye’s customers.

“During our investigation to date, we have found that the attacker targeted and accessed certain Red Team assessment tools that we use to test our customers’ security.” reported the security firm.”These tools mimic the behavior of many cyber threat actors and enable FireEye to provide essential diagnostic security services to our customers. None of the tools contain zero-day exploits.”

The tools in FireEye’s arsenal are placed in a sort of digital safe, but these tools in the wrong hands could be very dangerous. Threat actors could use these tools to carry out attacks that could not be attributed to them.

Experts highlighted the risks related to the possibility that Russian intelligence agencies saw an advantage in mounting the attack while US authorities were was focused on securing the presidential election system.

This hack is the most severe since the theft of the National Security Agency that took place in 2016 by ShadowBrokers group.

The attack against FireEye was very sophisticated and threat actors “went to extraordinary lengths” to fly under the radar.

The attack involved previously unseen IP addresses, many inside the United States.

“Based on my 25 years in cyber security and responding to incidents, I’ve concluded we are witnessing an attack by a nation with top-tier offensive capabilities. This attack is different from the tens of thousands of incidents we have responded to throughout the years. The attackers tailored their world-class capabilities specifically to target and attack FireEye.” wrote Kevin Mandia. “They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past.”

Mandia explained that this is a surgical attack that exhibited “discipline and focus.” Google, Microsoft, and other firms that conduct cybersecurity investigations declared they had never seen some of these techniques.

FireEye opted to share key elements of its Red Team tools so that other defense teams around the world would be able to detect ongoing attacks using them.

Investigators are trying to determine if the hackers have exploited a recently patched VM flaw, that according to an advisory published by the N.S.A. was targeted by Russia-linked hackers in recent attacks.

At the time of this writing, FireEye has seen no evidence to date that any attacker has used the stolen Red Team tools. 

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, BISMUTH)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment