Picture: 123RF/GLEB STOCK
Picture: 123RF/GLEB STOCK

Washington/San Francisco/ — FireEye, a prominent US cybersecurity company, has acknowledged that it has been breached, probably by hackers from a foreign adversary. The attackers made off with sensitive tools that FireEye uses to find vulnerabilities in clients’ computer networks.

The attackers were a “nation with top-tier offensive capabilities”, said CEO Kevin Mandia. He didn’t identify the country suspected in the attack, but a person familiar with the incident said investigators believe hackers closely aligned with the Russian government were behind it.

The hackers “tailored their world-class capabilities specifically to target and attack FireEye”, Mandia said in a company blog on Tuesday. “They are highly trained in operational security and executed with discipline and focus.”

By Wednesday morning, FireEye’s shares had fallen as much as 14% in extended trading after closing at $15.52 in New York.

It was the latest setback for a company whose stock peaked in 2014 at more than $80 following the initial public offering (IPO) the year before. For the past four years, FireEye shares have been stuck at about $15, spurring recurrent reports about an acquisition.

The motive for the attack isn’t clear, and it isn’t certain that the hackers intended to swipe what are known as “red team tools” in the security community. Mandia said the attackers “sought information related to certain government customers”. However, while the hackers accessed “some of our internal systems”, they didn’t appear to steal customer data, he said.

Red team tools mimic the behaviour of hackers and enable FireEye to provide “diagnostic security services” to customers, Mandia said. So far, the company hadn’t seen evidence that anyone had used the tools in an attack. Dmitri Alperovitch, the co-founder and former chief technology officer of CrowdStrike, a FireEye competitor, said red team tools are built to bypass customer networks and can sometimes be more sophisticated that the ones used by hackers. “You get paid to succeed breaking in,” he said.

That could make them potentially valuable for hackers seeking to infiltrate computer networks. But Alperovitch said the tools may not have been the only target. FireEye’s customers include nation-states, large tech companies, energy conglomerates and defence firms. The FireEye breach could expose the intelligence company’s clients to a similar fate — an adversary’s infiltration, or possibly the sale of their secret data, said Alperovitch.

Preliminary indications ‘show an actor with a high level of sophistication consistent with a nation state ’
Matt Gorham, assistant director of FBI’s cyber division

FireEye, based in California, was founded in 2004 and now has 9,600 customers in 103 countries. It also protects more than 1,000 government and law enforcement agencies, according to its website.

FireEye, with more than 3,000 employees and $889m in revenue last year, is one of the relatively few cybersecurity firms with enough threat intelligence and expertise to routinely and reliably attribute attacks to high-profile hackers, including the governments of Russia, China, Iran and North Korea.

The hack was discovered in recent weeks by FireEye when it found a suspicious login that had surpassed the two-factor authentication requirement on their virtual private network, according to the company. The attackers carried out the hack from two dozen IP addresses based in the US, none of which has been detected as part of a cyberattack before — the type of sophisticated tactics that led FireEye to believe a foreign intelligence service was behind the incident.

FireEye is investigating the attack with the FBI and Microsoft. The company is also publishing information that can help neutralise the tools that were stolen.

Matt Gorham, assistant director of FBI’s cyber division, said preliminary indications “show an actor with a high level of sophistication consistent with a nation state”. The case has similarities to a breach of the US National Security Agency, when hackers stole US cyberweapons and a mysterious group known as the “shadow brokers” published them online, starting in 2016.

But other cybersecurity firms have been hacked too.

In 2011, RSA offered to replace its then popular SecurID tokens after it revealed that its network was breached. The company also acknowledged that data stolen by the hackers was used in an attempted cyberattack at RSA customer Lockheed Martin.

In 2013, security company Bit9 disclosed that cyberattackers had gained access to a digital code-signing certificate used to identify authentic software, and co-opted it to authorise malware they placed on Bit9 customer networks.

The attack was a clever way of circumventing the protections of Bit9’s security technologies, effectively “white-listing” the malware so it wouldn’t be blocked. Bit9 said three of its customers were affected by the attack, which it believed was part of a larger campaign “to infiltrate select US organisations in a very narrow market space”.

In 2015, Juniper Networks revealed a complex set of breaches that included hackers inserting a secret administrative password into the source code of its popular line of NetScreen security products, which were used around the world by banks and government agencies to protect some of their highest-security networks.



Would you like to comment on this article or view other readers' comments?
Register (it’s quick and free) or sign in now.

Speech Bubbles

Please read our Comment Policy before commenting.