FireEye, normally the first company that cyberattack victims will call, has now admitted it too has fallen victim to hackers, which the company called a “sophisticated threat actor” that was likely backed by a nation-state.
In a blog post confirming the breach, the company’s chief executive Kevin Mandia said the nation-backed hackers have “top-tier offensive capabilities,” but did not attribute blame or say which government was behind the attack.
Mandia, who founded Mandiant, the incident response firm acquired by FireEye in 2014, said the hackers used a “novel combination of techniques not witnessed by us or our partners in the past” to steal hacking tools used typically by red teams, which are tasked with launching authorized but offensive hacking campaigns against customers in order to find weaknesses or vulnerabilities before malicious hackers do.
“These tools mimic the behavior of many cyberthreat actors and enable FireEye to provide essential diagnostic security services to our customers,” said Mandia. “None of the tools contain zero-day exploits. Consistent with our goal to protect the community, we are proactively releasing methods and means to detect the use of our stolen red team tools.”
But if stolen, these tools could make it easier for hackers to launch attacks against their victims.
Three years ago, hackers breached and stole similarly offensive hacking tools from the National Security Agency, which the spy agency used to collect intelligence on foreign suspected terrorists. But the exploit was later published and was used to infect thousands of computers with the WannaCry ransomware, causing millions of dollars’ worth of damage.
Mandia said that FireEye has developed hundreds of countermeasures to minimize the impact that these tools pose in the event that the hackers use the tools, but that FireEye has seen no evidence that the tools have been abused.
Although the motives of the hackers are unknown, Mandia said that the hackers appeared to seek information related to its government customers.
But it’s not clear exactly when the breach happened, or how FireEye was alerted to the incident. A spokesperson for FireEye declined to comment beyond the blog post when reached by TechCrunch.
FireEye, valued at about $3.5 billion, saw its stock tank by more than 7% in after-hours trading. The company has gained a reputation as one of the most well-resourced cybersecurity firms on the market, often brought in to understand how a breach happened and what may have been taken.
In this case, FireEye said it had reported the incident to the FBI and alerted industry partners, like Microsoft, to the breach. Microsoft said it was assisting with FireEye’s investigation.
“This incident demonstrates why the security industry must work together to defend against and respond to threats posed by well-funded adversaries using novel and sophisticated attack techniques,” said Microsoft’s Jeff Jones. “We commend FireEye for their disclosure and collaboration, so that we can all be better prepared.”