One of the US’s major cybersecurity firms, FireEye, yesterday announced that it had been hacked. The attack was most likely conducted by state-sponsored hackers who stole tools used by FireEye to test clients’ cyber defenses. The stolen tools could be used by the hackers to mount new worldwide attacks.
Founded in 2004, FireEye is a major US cybersecurity company headquartered in California. The $3.5 billion company holds extensive government contracts and has identified culprits in some of the world’s boldest breaches. It provides hardware, software and services to investigate cybersecurity attacks, protect against malicious software and analyze IT security risks.
FireEye is a publicly listed company and its share price fell almost 8 per cent after it announced yesterday that it had been hacked. The company blog post by CEO Kevin Mandia described the incident as “an attack by a nation with top-tier offensive capabilities.”
The attack on FireEye has been considered by some as an act of retribution. Over the years, FireEye has repeatedly credited Russian military intelligence agencies, such as the GRU, of conducting various cyberattacks. For example, the high-profile hacks of Ukraine’s power grid and attacks against US municipalities.
FireEye has not revealed who breached their systems. However, The New York Times reported that Russia is the lead suspect since the attack is being investigated by the FBI’s Russia specialists.
A Significant Breach
The hack of FireEye has been described as one of the most significant breaches in recent times. This is because the company holds several US national security contracts with agencies like the FBI and the National Security Agency.
FireEye revealed that the hackers had gained access to some of its internal systems but did not disclose exactly when the attack occurred. Mandia stated that the hackers’ primary goal appeared to have been stealing information on its government clients. However, at this stage it does not appear that the attackers were successful in exfiltrating any clients’ data.
The extent of the attack is not yet fully known, as FireEye’s investigations are still in their early stages. The company said it was investigating the hack with the help of the FBI and other groups, including Microsoft. Matt Gorham, assistant director of the FBI’s Cyber Division, said that the agency “is investigating the incident and preliminary indications show an actor with a high level of sophistication consistent with a nation-state.”
Stolen Cybersecurity Tools
What is currently known, is that the hackers successfully stole the company’s cybersecurity tools. Mandia said in the post: “This attack is different from the tens of thousands of incidents we have responded to throughout the years. […] They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past.” Nonetheless, the incident raises the possibility that the hackers will utilize the stolen tools to attack FireEye’s clients and others.
The stolen cybersecurity tools are used by FireEye’s “Red Team” to hack clients’ networks and identify vulnerabilities in their cyber defenses. The Red Team tools are basically digital tools that replicate the most sophisticated hacking tools in the world. They are built from malware that FireEye has come across over the years while investigating a wide range of cyberattacks.
The stolen Red Team tools target a vast number of different vulnerabilities, however, none of them target zero-day exploits. Zero-day vulnerabilities are weaknesses that have not yet been publicly identified and for which there are no fixes. FireEye explained that the stolen tools “range from simple scripts used for automating reconnaissance to entire frameworks that are similar to publicly available technologies such as CobaltStrike and Metasploit.”
FireEye is currently trying to ascertain how the hackers managed to breach its most protected systems. The tools are apparently held in a digital vault that FireEye closely guards. Mandia wrote “We are not sure if the attacker intends to use our Red Team tools or to publicly disclose them.” Experts note that it can be difficult to measure the impact of hacking tool leaks that focus on known vulnerabilities.
FireEye’s leak is the biggest theft of cybersecurity tools since the National Security Agency (NSA) theft in 2016. In the NSA incident, the hacking group ShadowBrokers released the NSA’s cybersecurity tools on the dark web. North Korea, China and Russia where then noted using NSA’s stolen tools in worldwide destructive attacks against government agencies. With the stolen tools, cybercriminals also attacked hospitals and the world’s biggest multinationals.
For hackers, using stolen tools instead of their own tools is an advantage. It allows them, especially nation-state groups, to hide their tracks. “Hackers could leverage FireEye’s tools to hack risky, high-profile targets with plausible deniability,” said Patrick Wardle, a principal security researcher at software company Jamf.
FireEye Provides Countermeasures
FireEye stated that at this stage it has no evidence that its stolen tools had been used by hackers. Nonetheless, in the hope of helping its clients and others to protect themselves, FireEye has published more than 300 countermeasures. It has setup a public Github repository to host these countermeasures for its stolen Red Team tools.
Furthermore, FireEye promised it would continue to update the public repository with new or refined detections for hosts, networks and file-based indicators. The company is also publishing a list of vulnerabilities that need addressing to limit the effectiveness of their stolen tools. Finally, FireEye has published key elements of its tools so that people can detect attacks using their tools more easily.