FireEye Says Nation-State Attackers Stole Pen Test ToolsSecurity Vendor Believes No Customer Data Was Exfiltrated
FireEye, one of the world’s top cybersecurity firms, says attackers stole its penetration testing tools and sought information about its government clients.
See Also: Top 50 Security Threats
The attackers used “a novel combination of techniques” specifically tailored for attacking Milpitas, California-based FireEye, leading the company to believe it is a state-sponsored attack, or one perpetrated by a nation with deep offensive cybersecurity capabilities, the company disclosed Tuesday.
“This attack is different from the tens of thousands of incidents we have responded to throughout the years,” says Kevin Mandia, FireEye’s CEO, in a statement. The attackers appear to have been "highly trained in operational security and executed with discipline and focus," and "used a novel combination of techniques not witnessed by us or our partners in the past,” he says.
FireEye’s public relations office says it's not offering more information beyond the statement. FireEye has contacted the FBI, and Microsoft is helping with the investigation, Mandia says. FireEye’s share price fell by 14% following the announcement.
“Preliminary indications show an actor with a high level of sophistication consistent with a nation-state,” Matt Gorham, assistant director of the FBI's cyber division, told The Washington Post.
The potential identity of the suspected attackers has not been disclosed. The New York Times, however, reports that the FBI has given the case to its Russia specialists, but that does not mean investigators have any concrete evidence. Attributing cyber activity is often difficult and, in many cases, never conclusive.
Democratic Sen. Mark Warner of Virginia, who is the vice chairman of the Senate Intelligence Committee, issued a statement on Tuesday saying FireEye’s problems show “the difficulty of stopping determined, nation-state hackers.”
“The hack of a premier cybersecurity firm demonstrates that even the most sophisticated companies are vulnerable to cyberattacks,” Warner says. “I applaud FireEye for quickly going public with this news, and I hope the company’s decision to disclose this intrusion serves as an example to others facing similar intrusions.”
The attack is significant because FireEye is one of the top cybersecurity firms regularly contracted to help other organizations respond to hack attacks and investigate data breaches.
Its Mandiant branch, which was founded by Mandia and acquired by FireEye in 2014, offers digital forensic experts who are called on to trace the source of a breach, eject attackers and restore systems.
It's not unheard of for security organizations and companies or even intelligence agencies to be successfully attacked. U.S. government agencies, such as the CIA and National Security Agency, have experienced breathtaking leaks of their sensitive tools and data, suggesting attackers somehow gained deep access to their systems or insiders. Just last month, antivirus vendor Sophos warned that an internal system that it misconfigured may have led to a data leak affecting some of its customers (see: Sophos Warns Customers of Possible Data Leak).
"This attack is different from the tens of thousands of incidents we have responded to throughout the years. [The attackers] used a novel combination of techniques not witnessed by us or our partners in the past."
—Kevin Mandia, CEO, FireEye
“Security companies are constantly in the crosshairs,” says Brett Callow, a security adviser with the New Zealand-based security company Emsisoft.
FireEye may be an attractive target because it produces prolific research on so-called advanced persistent threat, or APT, hacking groups.
It frequently releases highly detailed reports on hacking groups believed to be affiliated with China, Russia, North Korea, Iran and others. Those reports can reveal tactics, techniques and procedures used by hacking groups, making it easier for would-be victims to spot suspicious activity and tougher for attackers to succeed or go unnoticed.
Mandia didn’t disclose when the company was attacked or how long the attackers were in its systems. He says it doesn't appear that any customer information was exposed.
“While the attacker was able to access some of our internal systems, at this point in our investigation, we have seen no evidence that the attacker exfiltrated data from our primary systems that store customer information from our incident response or consulting engagements, or the metadata collected by our products in our dynamic threat intelligence systems,” Mandia says. “If we discover that customer information was taken, we will contact them directly.”
Stolen: Pen Test Tools
One ongoing cause for concern, however, is the theft of FireEye's “Red Team” tools. These tools, which include scripts, tools, scanners and techniques, are used to test clients' infrastructure for security vulnerabilities or configuration lapses that could lead to a data breach.
“These tools mimic the behavior of many cyber threat actors and enable FireEye to provide essential diagnostic security services to our customers,” Mandia writes. “None of the tools contain zero-day exploits. Consistent with our goal to protect the community, we are proactively releasing methods and means to detect the use of our stolen Red Team tools.”
Ironically, FireEye is in the position now of trying to help its clients potentially defend themselves against tools that it built. Mandia says there is no evidence that the attackers are using the Red Team tools yet, but it continues to monitor for such activity.
FireEye says in a blog post: “Although we do not believe that this theft will greatly advance the attacker’s overall capabilities, FireEye is doing everything it can to prevent such a scenario.”
On GitHub, the company has released what it calls a set of countermeasures that can be used to block or detect the use of its Red Team tools. The GitHub countermeasures include many Snort and Yara rules, which are predefined descriptions of malware and attack techniques that can be imported into intrusion detection software for flagging signs of malicious activity.
Many of the tools that were compromised have code names, which are revealed in the list of countermeasures that FireEye released. While FireEye did not have exploit code stolen, it did create tools to target certain kinds of vulnerabilities.
Jerry Gamblin, head of security research at Kenna Security, says FireEye has also released a list of CVEs that its tools targeted, which all organizations can use to ensure they have patched these high-risk vulnerabilities across their environment.
“The tools that were compromised and their respective vulnerabilities are all tied to older, well-documented and high-risk CVEs that should already be patched or otherwise mitigated by security teams,” Gamblin says. But many organizations fail to install security updates for months or sometimes even years after they get released (see: NSA: Chinese Hackers Exploiting 25 Vulnerabilities).
FireEye Joins the Ranks of RSA and Kaspersky
Cybersecurity expert Dmitri Alperovitch, who's been briefed on the breach investigation, tells The Wall Street Journal that FireEye now joins a long list of security firms - including RSA and Kaspersky - that have been hit by suspected government hackers.
“They do this to gain insights that can help them defeat security countermeasures and enable hacking of organizations all over the world,” said Alperovitch, who formerly served as an executive at CrowdStrike, which competes with FireEye. “With FireEye rapidly coming forward and transparently disclosing what happened to them, as well as disclosing the Red Team tools stolen by the adversaries, they are helping to minimize the chances of others getting compromised as a result of this breach.”
FireEye has also added countermeasures to its own security products to help block attacks using its tools, and Mandia has promised that it will continue to develop new mitigations to block its own, offensive tools.
News Editor Doug Olenick and Executive Editor Mathew Schwartz contributed to this report.