FireEye ranks among the biggest cybersecurity firms in the US. On December 8, the firm announced that it had been hacked, possibly by a state-sponsored group. It also said that the arsenal of hacking tools used to breach the defenses of its users had been stolen.
The FireEye hack is seen as one of the most significant breaches in recent times. This company has many contracts across the national security space in the US and its allies, yet ironically its security was breached. After that announcement, the company’s shares plunged 8% in the after-hours trading.
This breach was published in a public filing with the Securities and Exchange Commission (SEC). An official blog post from the firm stated that the “red team tools” were stolen in a highly sophisticated, possibly government-backed hacking activity that implemented brand new techniques.
For now, it is not yet determined when the hack happened. However, a person familiar with the incident said that the firm has been resettling user passwords in the last two weeks. Apart from tool theft, the hackers also seemed to be highly interested in a segment of FireEye clients: government agencies.
Rep. Adam Schiff, the chair of the House Intelligence Committee, promised to ask for more information.
“We have asked the relevant intelligence agencies to brief the Committee in the coming days about this attack, any vulnerabilities that may arise from it, and actions to mitigate the impacts.”
The FireEye Hack Investigation
So far, no evidence has been found that FireEye’s hacking tools were used or that client data was stolen. Nonetheless, Microsoft and the Federal Bureau of Investigation (FBI) are helping with this investigation. Matt Gorham, the assistant FBI director for the Cyber Division, commented:
“The FBI is investigating the incident, and preliminary indications show an actor with a high level of sophistication consistent with a nation-state.”
One ex-Defense Department official said that Russia is high on the list of suspects. Notably, the Russian interference was a prime concern in the run-up to the US presidential election. The American officials even exposed some Russian hacking strategies at the time.
Previously, other major security firms have also been hacked, including RSA, Kaspersky Lab, and Bit9. These hackings underscore the challenges faced by security teams to keep everything digital away from experienced and sophisticated hackers. A Western security official who insisted on anonymity said that many other security firms have also been breached.
The co-founder and former chief technology officer at CrowdStrike, Dmitri Alperovitch, stated:
“The goal of these operations is typically to collect valuable intelligence that can help them defeat security countermeasures and enable hacking of organizations all over the world.”
FireEye decided to explain what happened and what tools were taken to help others avoid getting hacked by the same group. The cybersecurity said that it is now working on measures to defend systems against its tools with various software makers. In that context, the firm released these countermeasures publicly.
How The Hackers Work
The hackers managed to reveal that the tools use modified versions of public programs as elaborated by the CEO of security firm Bishop Fox, Vincent Liu. The stolen computer tools can be used to exploit many vulnerabilities in popular software products. FireEye CEO Mandia confirmed that none of the stolen red team tools exploited “zero-day vulnerabilities.” Thus, the relevant flaws should by now be public already.
Previous attacks on government contractors and agencies have managed to steal higher-value hacking tools. Eventually, some of these tools were made public, destroying their effectiveness as defenses are set up.
Both the CIA and NSA have been victimized this way in the past decade and Russia is a prime suspect. Iranian and Russian tools have also been hacked and published recently. Furthermore, private surveillance software makers have not been spared.
Analysts and experts believe that it is challenging to estimate the effect of a tool leak that targets familiar software vulnerabilities, but it makes the attackers’ jobs straightforward and easier. Threat intelligence principal at security company Gigamon, Paul Ferguson, said:
“Exploitation tools in the wrong hands will lead to more victimization of people who don’t see it coming, and there are already enough problems like that. We don’t need more exploitation tools floating around making it easier — look at ransomware.”
Whenever private firms discover a weakness in their software products, they create a ‘patch’ or an upgrade to nullify the issue. However, a majority of the users do not install these patches instantly. Some even delay for many months or years which exposes them to hackers.