US cybersecurity firm FireEye has said foreign hackers with “world-class capabilities” broke into its network and stole tools it uses to probe the defences of thousands of customers, who include federal, state and local governments and top global corporations.
The hackers “primarily sought information related to certain government customers”, FireEye chief executive Kevin Mandia said in a statement, without naming them.
He said there was no indication that they obtained customer information from the company’s consulting or breach-response businesses or threat-intelligence data it collects.
FireEye is a major cybersecurity firm – it responded to the Sony and Equifax data breaches and helped Saudi Arabia thwart an oil industry cyberattack – and has played a key role in identifying Russia as the protagonist in numerous global digital incidents.
Neither Mr Mandia nor a FireEye spokeswoman revealed when the company had detected the hack or who might be responsible, but many in the cybersecurity community suspect Russia.
“I do think what we know of the operation is consistent with a Russian state actor,” said former NSA hacker Jake Williams, president of Rendition Infosec. “Whether or not customer data was accessed, it’s still a big win for Russia.”
Mr Mandia said he had concluded that “a nation with top-tier offensive capabilities” was behind the attack.
The stolen “red team” tools – which amount to real-world malware – could be dangerous in the wrong hands.
FireEye said there iss no indication they have been used maliciously, but cybersecurity experts say sophisticated nation-state hackers could modify them and use them against government or industry targets in future.
The hack was the biggest blow to the US cybersecurity community since 2016 when a mysterious group known as the Shadow Brokers released a trove of high-level hacking tools stolen from the National Security Agency.
The US believes North Korea and Russia capitalised on the stolen tools to unleash devastating global cyberattacks.
The nation’s Cybersecurity and Infrastructure Security Agency warned that “unauthorised third-party users” could similarly abuse FireEye’s stolen red-team tools.
FireEye, which is based in Milpitas, California, said in Tuesday’s statement that it has developed 300 countermeasures to protect customers and others from them and is making them immediately available.
FireEye has been at the forefront of investigating state-backed hacking groups, including Russian groups trying to break into state and local governments in the US that administer elections.
It was credited with attributing to Russian military hackers mid-winter attacks in 2015 and 2016 on Ukraine’s energy grid.
Its threat hunters also have helped social media companies including Facebook identify malicious actors.
Thomas Rid, a Johns Hopkins cyberconflict scholar, said if the Kremlin was behind the hack it could have been seeking to learn what FireEye knows about Russia’s global state-backed operations – doing counterintelligence.
Or it might have seeking to retaliate against the US government for measures including indicting Russian military hackers for meddling in the 2016 US election and other alleged crimes. FireEye is, after all, a close US government partner that has “exposed many Russian operations”, Mr Rid said.
FireEye said it is investigating the attack in co-ordination with the FBI and partners including Microsoft, which has its own cybersecurity team.
Mr Mandia said the hackers used “a novel combination of techniques not witnessed by us or our partners in the past”.
Matt Gorham, assistant director of the FBI’s cyber division, said the hackers’ “high level of sophistication (was) consistent with a nation state”.
The US government is “focused on imposing risk and consequences on malicious cyber actors, so they think twice before attempting an intrusion in the first place”, he said. That has included what US Cyber Command terms “defending forward” operations such as penetrated the networks of Russia and other adversaries.
US Senator Mark Warner, a Virginia Democrat on the Senate’s intelligence committee, applauded FireEye for quickly disclosing the intrusion, saying the case “shows the difficulty of stopping determined nation-state hackers”.
Cybersecurity expert Dmitri Alperovitch said security companies like FireEye are top targets, with big names in the field including Kaspersky and Symantec breached in the past.
“Every security company is being targeted by nation-state actors. This has been going on for over a decade now,” said Mr Alperovitch, co-founder and former chief technical officer of Crowdstrike, which investigated the 2016 Russian hack of the Democratic National Committee and Hillary Clinton’s campaign.
He said the release of the “red-team” tools, while a serious concern, is “not the end of the world because threat actors always create new tools”.
“This could have been much worse if their customer data had been hacked and exfiltrated. So far there is no evidence of that,” he said, citing hacks of other cybersecurity companies – RSA Security in 2011 and Bit9 two years later – which contributed to the compromise of customer data.
Founded in 2004, FireEye went public in 2013 and months later acquired Virginia-based Mandiant Corp, the firm that linked years of cyberattacks against US companies to a secret Chinese military unit.
It has about 3,400 employees and revenue last year was 889.2 million US dollars (£666 million), though it made a net loss of 257.4 million US dollars (£192.8 million).
The company’s 8,800 customers last year included more than half of the Forbes Global 2000, companies in telecommunications, technology, financial services, healthcare, electric grid operators, pharmaceutical companies and the oil-and-gas industry.
Its stock fell more than 7% in after-hours trading on Tuesday following news of the hack.
