FireEye victim of 'state-sponsored' cyberattack
Cybersecurity firm’s share price drops as it reveals its Red Team arsenal of hacking tools was accessed
FireEye has been hit by a cyberattack that it believes to be "state sponsored", CEO Kevin Mandia has said.
Mandia believes the attack was made by a nation with "top-tier offensive capabilities" and was specifically coordinated to attack the US vendor.
"Based on my 25 years in cybersecurity and responding to incidents, I've concluded we are witnessing an attack by a nation with top-tier offensive capabilities," he wrote in a blog on the company's website.
"This attack is different from the tens of thousands of incidents we have responded to throughout the years. The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past."
The hackers accessed some of FireEye's Red Team assessment tools which it uses to test its customers' security posture. These tools mimic the behaviour of hackers and allow FireEye to provide diagnostic services to clients. Mandia said none of the tools that were plundered contained zero-day exploits and hat it was releasing methods and means to detect the use of its stolen tools.
"We have seen no evidence to date that any attacker has used the stolen Red Team tools. We, as well as others in the security community, will continue to monitor for any such activity," Mandia continued.
"We are not sure if the attacker intends to use our Red Team tools or to publicly disclose them. Nevertheless, out of an abundance of caution, we have developed more than 300 countermeasures for our customers, and the community at large, to use in order to minimise the potential impact of the theft of these tools."
The company has introduced a number measures to ensure the safety of its customers and the wider community, including deploying countermeasures in its security products, preparing countermeasures that can detect or block the use of its stolen tools and sharing those measures with the wider security community through a separate blog post.
Mandia also disclosed that the sabotage mainly went after information related to some of FireEye's government customers.
"Consistent with a nation-state cyber-espionage effort, the attacker primarily sought information related to certain government customers," he added.
"While the attacker was able to access some of our internal systems, at this point in our investigation, we have seen no evidence that the attacker exfiltrated data from our primary systems that store customer information from our incident response or consulting engagements, or the metadata collected by our products in our dynamic threat intelligence systems.
"If we discover that customer information was taken, we will contact them directly."
FireEye is investigating the matter in conjunction with the FBI and other "key partners", such as Microsoft, both of whose own analysis support FireEye's suspicions that it was a state-sponsored attack. The publicly-listed firm saw its share price drop around seven per cent overnight after it broke the news.
Some in the channel see it as a cautionary tale that there are no absolutes in cybersecurity. Steve Smith, head of sales for Westcoast Cyber, wrote on Linked In that "100 per cent secure is NOT possible. But doing nothing is not an option. One thing is for sure...without defence, in-depth and layered security measures in place, this could have been a lot worse."
Former Infinigate UK boss Murray Pearce warned that it is now a "race against time" to head off the cybercriminals from using their stolen wares and they have a headstart on the security vendor.
"FireEye has an obligation to share as much as they can with the wider market about these tools, not only [to] their customers, to help mitigate the impact of this hack... it is a race against time and the hackers have pole position," he warned.