Cyber assessment tools stolen in FireEye hack
- By Justin Katz
- Dec 09, 2020
FireEye, one of the nation’s leading cybersecurity firms, has become a victim of a "sophisticated" attack that targeted and accessed red team assessment tools the company uses to test its customers’ security, according to a Dec. 8 blog post by CEO Kevin Mandia.
"The attackers tailored their world-class capabilities specifically to target and attack FireEye," according to Mandia. "They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past." He added that "none of the tools contain zero-day exploits."
Mandia also wrote that it is not clear whether the attackers plan to use or publish the tools, but he said the company has developed more than 300 countermeasures to the red team tools to minimize the impact of the theft that are now available on GitHub.
The attackers sought information about the company's government customers, which Mandia said is in line with the actions of a "nation-state cyber-espionage effort." The company so far has "seen no evidence that the attacker" stole data from the company's systems that house customer information.
FireEye’s federal customers past and present include the Army and Navy, the Agency for International Development, the Environmental Protection Agency, and the Departments of Treasury, Health and Human Services and Justice, among others. The city of San Francisco, Sammamish, Wash., the University of South Carolina and Denver Public Schools are also FireEye customers, along with technology innovators including DWave, the quantum computing firm, and CERN, the world’s largest particle physics lab.
Mandia's post does not name a specific country as a suspect, but says FireEye is working with both Microsoft and the FBI to investigate the incident. Reports in the New York Times, the Washington Post and the Wall Street Journal indicate that a Russian intelligence service is a likely suspect.
FireEye isn't the first cybersecurity vendor to suffer a serious intrusion, according to Crowdstrike founder Dmitri Alperovich.
"With the Fire[E]ye breach news coming out, it's important to remember that no one is immune to this. Many security companies have been successfully compromised over the years, including Symantec, Trend, Kaspersky, RSA and Bit9," Alperovich said on Twitter. "Security companies are a prime target for nation-state operators for many reasons, but not least of all is ability to gain valuable insights about how to bypass security controls within their ultimate target."
This article was first posted to FCW, a sibling site to GCN.
Justin Katz covers cybersecurity for FCW. Previously he covered the Navy and Marine Corps for Inside Defense, focusing on weapons, vehicle acquisition and congressional oversight of the Pentagon. Prior to reporting for Inside Defense, Katz covered community news in the Baltimore and Washington D.C. areas. Connect with him on Twitter at @JustinSKatz.