FireEye hacked. “State-sponsored attackers” blamed as Red Team tools stolen. Here’s what you need to know

Graham Cluley
@gcluley

What’s happened?
Cybersecurity firm FireEye says it has been hacked.

Ouch!
Yup.

What is FireEye saying about it?
The company’s CEO Kevin Mandia has published a blog post which doesn’t specify who they believe was responsible but does say that the attackers “primarily sought information related to certain government customers.”

He continues:

“We were attacked by a highly sophisticated threat actor, one whose discipline, operational security, and techniques lead us to believe it was a state-sponsored attack…”

“Based on my 25 years in cyber security and responding to incidents, I’ve concluded we are witnessing an attack by a nation with top-tier offensive capabilities. This attack is different from the tens of thousands of incidents we have responded to throughout the years. The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past.”

What did the hackers steal from FireEye?
FireEye says that so far its investigation has found that the hackers accessed “Red team” tools normally used to test customers’ security.

“These tools mimic the behavior of many cyber threat actors and enable FireEye to provide essential diagnostic security services to our customers. None of the tools contain zero-day exploits.”

It’s unclear if the hackers intend to publicly release the tools they stole from FireEye or use them for their own purposes. Regardless, FireEye says that it has developed “more than 300 countermeasures” which can be used to “minimize the potential impact of the theft of these tools.”

Currently there is no evidence that any customer data was exfiltrated by the hackers. However, it is still early days in the investigation which is being done in co-ordination with the FBI and Microsoft.

Sign up to our newsletter
Security news, advice, and tips.

How could FireEye’s stolen tools be used by someone malicious?
They could potentially be used by a hacker to find weaknesses in your company’s security.

Yikes!
Yup. The good news is that so far there’s been no evidence seen that the tools have been used by any unauthorised parties. However, it would be naive to think that they won’t be, or that anyone has perfect visibility on whether they have been deployed or not.

Where can I find FireEye’s countermeasures?
Check out a GitHub page created by the company.

It’s likely that other security vendors will also issue tools to protect against and detect the usage of FireEye’s stolen tools.

This is pretty embarrassing for FireEye.
It’s not just embarrassing. It’s horrifying. It’s the kind of nightmare that makes the CEOs of cybersecurity firms wake up in the middle of the night in a cold sweat.

And it’s no surprise to hear that the company’s share price has already taken a hit in after-hours trading since the bad news was disclosed.

However, it’s worth realising that no company is infallible – whether it’s in the cybersecurity industry or not. And if state-sponsored hackers are determined to break into an organisation there’s practically nothing that can be done to guarantee that they won’t ever be able to break in.

There will no doubt in the coming days be some security vendors who try to take advantage of FireEye’s misfortune. They should watch their backs – it may be their systems which get hacked next.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

2 comments on “FireEye hacked. “State-sponsored attackers” blamed as Red Team tools stolen. Here’s what you need to know”

  1. “We were attacked by a highly sophisticated threat actor, one whose discipline, operational security, and techniques lead us to believe it was a state-sponsored attack…”

    Yeah, right… Since they see Chinese under every bed, that's no surprise…

  2. "They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past." What can't be hacked, given the determination, focus and toolsets hackers seem to possess? Did they exploit the weakest link in any security – human beings?

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.