U.S. Cybersecurity Firm FireEye Reveals Attack by ‘Nation-State’ Hackers

3141456 06/28/2017 IT systems in several countries have undergone a global ransomware atta
Alexey Malgavko / Sputnik/AFP

American cybersecurity firm FireEye reported Tuesday that it was attacked by a “highly sophisticated threat actor, one whose discipline, operational security, and techniques lead us to believe it was a state-sponsored attack.”

The company is working with the FBI to identify the perpetrator, who analysts from other security firms suspect will turn out to be Russia.

FireEye CEO Kevin Mandia described the situation in a blog post, using present-tense language that implied the assault could be ongoing:

Based on my 25 years in cyber security and responding to incidents, I’ve concluded we are witnessing an attack by a nation with top-tier offensive capabilities. This attack is different from the tens of thousands of incidents we have responded to throughout the years. The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past.

We are actively investigating in coordination with the Federal Bureau of Investigation and other key partners, including Microsoft. Their initial analysis supports our conclusion that this was the work of a highly sophisticated state-sponsored attacker utilizing novel techniques.

During our investigation to date, we have found that the attacker targeted and accessed certain Red Team assessment tools that we use to test our customers’ security. These tools mimic the behavior of many cyber threat actors and enable FireEye to provide essential diagnostic security services to our customers. None of the tools contain zero-day exploits. Consistent with our goal to protect the community, we are proactively releasing methods and means to detect the use of our stolen Red Team tools.   

According to Mandia, no evidence exists that the hackers have used the stolen Red Team tools for malevolent purposes yet, but FireEye has prepared “countermeasures” against possible illicit use of its code and made them available to the public as a precaution. Mandia stressed that the stolen tool set did not include any of the most dangerous “zero-day exploits” that could put large numbers of computer systems at risk.

Mandia said one reason to suspect a nation-state was behind the attack is that the hackers “primarily sought information related to certain government customers,” whose identities he did not disclose.

“We have learned and continue to learn more about our adversaries as a result of this attack, and the greater security community will emerge from this incident better protected. We will never be deterred from doing what is right,” he vowed.

Radio Free Europe (RFE) quoted FBI assistant director for cybersecurity Matt Gorham agreeing that the “high level of sophistication” displayed in the FireEye hack was “consistent with a nation state.”

According to RFE, “many in the cybersecurity community” suspect the nation-state in question is Russia, which holds a grudge against FireEye for identifying its hackers as the perpetrators of some big capers over the years. 

RFE described the successful penetration of FireEye as a crime comparable to the raid on the National Security Agency (NSA) in 2016, in which the hackers stole a trove of NSA software that was employed in subsequent cyberattacks around the globe.

Reuters on Tuesday agreed that the attack is “among the most significant breaches in recent memory” and noted FireEye’s stock value dropped by eight percent after the news broke.

“It is not clear exactly when the hack initially took place, but a person familiar with the events said the company has been resetting user passwords over the past two weeks,” Reuters reported.

Wired, on the other hand, saw the attack as more of a symbolic “statement” than a massive cybersecurity “catastrophe” like the raid on the NSA. As Wired pointed out, the Red Team tools largely emulate malware already employed by hackers, so stealing them could be more about embarrassing FireEye than augmenting the clearly formidable abilities of the thieves.

The New York Times (NYT) said the FBI has “turned the case over to its Russia specialists,” while the NSA issued a warning about Russian cyberespionage on Monday that could be related to the assault on FireEye.

“On Tuesday, Russia’s National Association for International Information Security held a forum with global security experts where Russian officials again claimed that there was no evidence its hackers were responsible for attacks that have resulted in American sanctions and indictments,” the NYT noted.

The Washington Post on Tuesday cited “people familiar with the matter” who said the FireEye attack was probably perpetrated by APT 29, also known as “Cozy Bear,” the same hackers linked to Russian intelligence that penetrated the State Department and White House during the Obama administration.

COMMENTS

Please let us know if you're having issues with commenting.