FireEye was recently breached in what’s believed to be a state-sponsored attack designed to gain information on certain of the threat intelligence vendor’s government customers.
The Milpitas, Calif.-based cybersecurity firm said the attacker was able to access some of FireEye’s internal systems but apparently didn’t exfiltrate data from the company’s primary systems that store customer information. The threat actor, however, stole FireEye’s Red Team security assessment tools, and FireEye isn’t sure if the attacker plans to use the stolen tools themselves or publicly disclose them.
“This attack is different from the tens of thousands of incidents we have responded to throughout the years,” FireEye CEO Kevin Mandia wrote in a blog post Tuesday. “The attackers tailored their world-class capabilities specifically to target and attack FireEye … They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past.”
FireEye’s stock was down US$1.21 (7.80 percent) to US$14.31 in after-hours trading Tuesday, which is the lowest the company’s stock has traded since Nov. 19. The company said it’s investigating the attack in coordination with the Federal Bureau of Investigation (FBI) and other key partners including Microsoft.
The New York Times is reporting that the FireEye hack appears to have been carried out by Russian intelligence agencies based in part on the fact that the FBI has turned the case over to its Russia specialists. FireEye declined to comment on the New York Times report, and said it isn’t making any statement on attribution.
FireEye said the stolen Red Team tools range from simple scripts used for automating reconnaissance to entire frameworks that are similar to publicly available techniques like CobaltStrike and Metasploit. The tools apply well-known and documented methods that are used by other attack simulation teams around the world, and do not contain any zero-day exploits, according to FireEye.
That’s in marked contrast to Shadow Brokers, which in August 2016 offered to sell what it said were U.S. government hacking tools for US$1 million Bitcoin. The hackers claimed to have taken the zero-day exploits from a group that’s believed to be the National Security Agency. The dump included installation scripts, configurations for command and control servers, and exploits for many vendors‘ routers and firewalls.
This time around, FireEye hasn’t seen any evidence to date that any attacker has used the Red Team tools stolen from the company. Nonetheless, FireEye said it has developed and is publicly releasing more than 300 countermeasures so that its customers and the broader security community can protect themselves against these tools.
FireEye said it has incorporated these countermeasures into its own products, and has shared them with partners and government agencies including the Department of Homeland Security to limit the threat actor’s ability to exploit these Red Team tools. The company will continue updating its public repository with countermeasures for host, network and file-based indicators as it develops new detections.
FireEye said it doesn’t see any signs that the attacker exfiltrated data from either its primary systems that store information from incident response or consulting engagements or from the metadata collected by the company’s products in its dynamic threat intelligence systems. If FireEye discovers that customer information was taken, the company said it will contact customers directly.
“We have learned and continue to learn more about our adversaries as a result of this attack, and the greater security community will emerge from this incident better protected,” Mandia wrote in the blog post. “We will never be deterred from doing what is right.”