FireEye made the shocking disclosure Tuesday that it suffered a security breach in what’s believed to be a state-sponsored attack designed to gain information on some of the company’s government customers. The attacker was able to access some of FireEye’s internal systems but apparently didn’t exfiltrate data from the company’s primary systems that store customer information, the threat intelligence vendor said.
The threat actor, however, stole FireEye’s Red Team security assessment tools, and FireEye said it isn’t sure if the attacker plans to use the stolen tools themselves or publicly disclose them.
This isn’t the first nation-state attack against a cybersecurity vendor or even the first hacker to get access to FireEye corporate documents. The attackers were focused on folks doing work across many different governments and not just the US Government, FireEye CEO Kevin Mandia told investors last week. But it is the first time in many years that powerful hacking tools have landed in the hands of adversaries.
From who’s suspected to be behind the FireEye hack and how they remained hidden to what FireEye and intelligence officials are doing to minimize the collateral damage, here’s a look at what partners need to know about this earth-shaking attack.
Other major security vendors have also been hacked
FireEye is hardly the only security firm to suffer a damaging hack. In 2011, RSA Security was hit by a nation-state actor later linked to China in a breach that allowed attackers to steal data that “could potentially be used to reduce the effectiveness of a current two-factor authentication implementation,” a statement that suggested the information was related to the company’s SecurID product.
In 2013, crooks broke into Bit9, stole one of its cryptographic certificates, and used it to infect three of its customers with malware, Ars Technica said. Bit9 merged with Carbon Black a year later, and the firm was bought by VMware in 2019. In 2015, Kaspersky said malware derived from Stuxnet—which the US and Israel reportedly used o disable the Iranian nuclear program—had infected its network and remained undetected for months.
Symantec confirmed in 2012 that a segment of its antivirus source code was stolen by hackers, the New York Times reported, while Avast got hacked both in 2017 and in 2019. And McAfee, Symantec and Trend Micro were among the list of major security companies whose code a Russian-speaking hacker group claimed to have stolen last year, The Times said.
Previous FireEye corporate hacking attempt ended in arrest
This is not the first time adversaries have attempted to breach FireEye’s corporate network.
A hacker attacked the personal online accounts of Mandiant senior threat intelligence analyst Adi Peretz in July 2017, using credentials for Peretz’s social media and email accounts exposed in publicly disclosed third-party breaches to access the employee’s personal online accounts. The attacker publicly released three FireEye corporate documents obtained from the victim‘s personal online accounts, FireEye said.
Two customer names were identified in the employee‘s personal email and disclosed by the hacker, FireEye said in August 2017. The hacker, however, was unable to breach, compromise or access FireEye’s corporate network, despite multiple failed attempts to do so, the company said at the time.
FireEye worked with law enforcement and spent hundreds of hours investigating the hacker’s claim that he had breached FireEye‘s corporate network, FireEye said in 2017. The hacker in that case was ultimately arrested and taken into custody by international law enforcement on Oct. 26, 2017, FireEye disclosed a week later.
U.S. House Intelligence Committee Chairman asks for briefing
The chairman of the U.S. House Intelligence Committee, Rep. Adam Schiff (D-Calif.), announced Tuesday night that he would ask intelligence officials for more information on the latest incident.
“We have asked the relevant intelligence agencies to brief the Committee in the coming days about this attack, any vulnerabilities that may arise from it, and actions to mitigate the impacts,” Schiff said in a statement. “This news about FireEye is especially concerning because reportedly a nation-state actor made off with advanced tools that could help them mount future attacks.”
U.S. Senate Intelligence Committee member Mark Warner (D-Va.), said the hack demonstrates that even the most sophisticated companies are vulnerable to cyberattacks.
“I applaud FireEye for quickly going public with the news, and I hope the company’s decision to disclose this intrusion serves as an example to others facing similar intrusions. We have come to expect and demand that companies take real steps to secure their systems, but this case also shows the difficulty of stopping determined nation-state hackers,“ Warner said.
FBI makes rare statement, links hack to nation-state
The Federal Bureau of Investigation (FBI) rarely comments on ongoing investigations it’s reported to be conducting, but made an exception Tuesday for the cyber-attack against FireEye. “The FBI is investigating the incident and preliminary indications show an actor with a high level of sophistication consistent with a nation state,” Matt Gorham, assistant director of the FBI‘s Cyber Division, said in a statement to media outlets.
“It is important to note that our adversaries are continuously looking for US networks to exploit,” Gorham continued. “That is why we are focused on imposing risk and consequences on malicious cyber actors, so they think twice before attempting an intrusion in the first place; why we are focused on quickly responding to victims and providing organizations with the information they need to defend their networks; and why we encourage anyone that notices suspicious activity to notify the FBI or the USSS [U.S. Secret Service].”
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also put out a statement about the FireEye hack: “Although CISA has not received reporting of these tools being maliciously used to date, unauthorized third-party users could abuse these tools to take control of targeted systems. The exposed tools do not contain zero-day exploits.”
Largest Known Theft Of Cybersecurity Tools Since 2016
The FireEye hack is the biggest known theft of cybersecurity tools since those of the National Security Agency were stolen in 2016 by The Shadow Brokers group, The New York Times reported. That group dumped the NSA’s hacking tools online over several months, including installation scripts, configurations for command and control servers, and exploits for many vendors‘ routers and firewalls.
North Korea and Russia used the NSA’s stolen weaponry in destructive attacks on government agencies, hospitals and the world’s biggest conglomerates — at a cost of more than $10 billion. The NSA’s tools were most likely more useful than FireEye’s since the U.S. government builds purpose-made digital weapons, The New York Times said.
In contrast, The Times said FireEye’s Red Team tools were essentially built from malware that the company has seen used in a wide range of attacks. Still, most of the FireEye’s Red Team tools had been based in a digital vault that the company closely guarded, according to The New York Times.
FireEye tool repository contains no zero-day exploits
FireEye said it has developed and is publicly releasing more than 300 countermeasures so that its customers and the broader security community can protect themselves against the security assessment tools used by the company’s Red Team. The company said it’ll update its public GitHub repository with countermeasures for host, network and file-based indicators as it develops new detections.
The Red Team tools currently listed in FireEye’s GitHub repository are primarily intended to facilitate privilege escalation, credential stealing and lateral movement, with many of the hacks capitalizing on SaaS and cloud vulnerabilities. No zero-day exploits or clear remote code execution (RCE) attacks appear in FireEye’s GitHub repository.
Most of FireEye’s disclosed Red Team tooling is standard in nature including modified Mimikatz, with little that is groundbreaking in nature. An adversary, however, could make attribution more difficult by using the tactics, techniques and procedures (TTPs) of FireEye’s Red Team rather than items from their standard tool chest.
Russian spies behind FireEye attack also hit Dem Committee
The same spies with Russia’s foreign intelligence service who penetrated the White House and State Department several years ago and have attempted to steal coronavirus vaccine research were the ones to break into FireEye’s servers, The Washington Post reported. The breach was detected by FireEye in recent weeks and disclosed Tuesday, according to the Post, citing people familiar with the matter.
Hackers with the Russian intelligence service – also known as APT29 - compromised the Democratic National Committee servers in 2015 and hacked the State Department and the White House during the Obama administration. APT29, however, did not leak the hacked DNC material; rather, Russian military spy agency GRU separately hacked the DNC and leaked its emails to WikiLeaks in 2016, the Post said.
In contrast, The Washington Post said that APT29 hacks for traditional espionage purposes, stealing secrets that can be useful for the Kremlin to understand the plans and motives of politicians and policymakers. Group members have stolen industrial secrets, hacked foreign ministries and gone after coronavirus vaccine data, according to The Post.
Hackers created thousands of new IP addresses to stay hidden
The hackers behind the FireEye attack went to extraordinary lengths to avoid being seen, The New York Times reported. Specifically, The Times said they created several thousand internet protocol addresses - many inside the United States - that had never before been used in attacks. By using those addresses to stage their attack, it allowed the hackers to better conceal their whereabouts, according to The Times.
The hackers were disciplined and used a rare combination of attack tools, some of which apparently hadn’t previously been used in any known attacks on other victims, The Wall Street Journal reported. This is an unusual sign of sophistication and resolve, The Journal said, and speaks to how dedicated the hackers were to specifically compromising FireEye.
People familiar with the investigation told The Journal that the hackers took advanced measures to conceal their activity and identity. “This was a sniper shot that got through,” a person familiar with the investigation told The Journal.