The Silicon Valley company said that hackers (possibly Russian) compromised them with tools that could be used to mount new attacks around the world. FireEye's clients after major breaches have included Sony and Equifax. Russian hackers targeted its "Red Team" tools.
FireEye's clients after major breaches have included Sony and Equifax. Hackers targeted its "Red Team" tools. Credit: David Becker/Reuters
WASHINGTON – For years, cybersecurity firm FireEye has been the first call for government agencies and companies around the world that have been hacked by the most sophisticated attackers, or fear they might be.
Now it appears that hackers — in this case, evidence points to Russian intelligence agencies — may be exacting their revenge.
FireEye disclosed on Tuesday that its own systems were breached by what it called "a nation with top-tier offensive capabilities." The company said the hackers used "novel techniques" to make off with its own toolkit, which could prove useful in mounting new attacks around the world.
It was a stunning theft, akin to bank robbers who, after cleaning out local vaults, then turned around and stole the F.B.I.'s investigative tools. Indeed, FireEye said Tuesday, moments after the stock market closed, that it had called in the F.B.I.
The $3.5 billion company, which partly earns its living by identifying the culprits behind some of the world's most brazen breaches — its clients have included Sony, Equifax, and Garmin — declined to explicitly say who was responsible. But its description, and the fact that the F.B.I. handed the case to its Russia specialists, left little doubt as to who the prime suspects were and that they were after what the company calls "red team tools."
These are essentially digital tools that replicate the world's most sophisticated hacking tools. FireEye uses the tools, with the permission of a client company or government agency, to probe for vulnerabilities in their systems. Most of the tools reside in a digital vault that FireEye closely guards.
The hack raises the possibility that Russian intelligence agencies saw an advantage in staging the attack while American attention, including FireEye's, was focused on securing the presidential election system. At a moment when the nation's public and private intelligence systems were searching for breaches of voter registration systems or voting machines, it may have been an opportune time for those Russian agencies — which were involved in the 2016 election intrusions — to shift their gaze to other targets.
The hack was the largest known theft of cybersecurity tools since those belonging to the National Security Agency were purged in 2016 by a still-unidentified group calling itself the ShadowBrokers. That group put the N.S.A.'s hacking tools online for several months, handing nation-states and hackers the "keys to the digital kingdom," as a former N.S.A. operator put it. North Korea and Russia eventually used the stolen N.S.A. weaponry in destructive attacks against government agencies, hospitals, and the world's largest conglomerates, at a cost of more than $10 billion.
The N.S.A. tools were likely more powerful than FireEye's since the U.S. government builds purpose-built digital weapons. FireEye's red team tools are essentially built from malware the company has seen used across a wide range of attacks.
Even so, the advantage of using stolen weapons is that nation-states can obscure their own fingerprints when launching attacks.
"Hackers could leverage FireEye's tools to hack risky, high-profile targets with plausible deniability," said Patrick Wardle, a former N.S.A. hacker who is now a principal security researcher at Jamf, a software company. "In risky environments, you don't want to burn your best tools, so this gives advanced adversaries a way to use someone else's tools without burning their best capabilities."
A Chinese state-sponsored hacking group was previously caught using N.S.A. hacking tools in attacks around the world, ostensibly after discovering the N.S.A. tools in their own systems. "It's a no-brainer," said Mr. Wardle.
The breach is likely to be a black eye for FireEye. Its researchers worked with Sony after the devastating 2014 attack that the firm later attributed to North Korea. It was FireEye that was called in after the State Department and other U.S. government agencies were breached by Russian hackers in 2015. And its major corporate clients include Equifax, the credit monitoring service that was hacked three years ago, affecting nearly half the American population.
In the FireEye attack, the hackers went to extraordinary lengths to avoid being seen. They created several thousand Internet Protocol addresses, many within the United States, that had never previously been used in attacks. By using those addresses to stage their attack, it allowed the hackers to better conceal their whereabouts.
"This attack is different from the tens of thousands of incidents we have responded to throughout the years," said Kevin Mandia, chief executive of FireEye. (He was the founder of Mandiant, a firm that FireEye acquired in 2014.)
But FireEye said it was still investigating exactly how the hackers had breached its most protected systems. Details were scarce.
Mr. Mandia, a former Air Force intelligence officer, said the attackers "tailored their world-class capabilities specifically to target and attack FireEye." He said they appeared to be highly trained in "operational security" and exhibited "discipline and focus" while moving clandestinely to evade security tools and forensic examination. Google, Microsoft, and other companies that conduct cybersecurity research said they had never seen some of these techniques before.
FireEye also published key elements of its "Red Team" tools so that others around the world could see attacks coming.
American investigators are trying to determine whether the attack bears any relationship to another sophisticated operation that the N.S.A. said Russia was behind in a warning issued Monday. That operation targets a type of software, known as VM for virtual machines, that is widely used by defense firms and manufacturers. The N.S.A. declined to say what the targets of that attack were. It is unclear whether the Russians used their success in that breach to gain entry into FireEye's systems.
The attack on FireEye could be a form of retaliation. The company's researchers have repeatedly called out units of Russian military intelligence — the G.R.U., the S.V.R., and the F.S.B., the Soviet-era K.G.B.'s successor agency — for high-profile hacks on the electrical grid in Ukraine and on American municipalities. They were also the first to call out Russian hackers behind an attack that successfully disabled industrial safety locks at a Saudi petrochemical plant, the last step before triggering an explosion.
"The Russians believe in revenge," said James A. Lewis, a cybersecurity expert at the Center for Strategic and International Studies in Washington. "Suddenly, FireEye's clients are vulnerable."
On Tuesday, Russia's National Association of International Information Security held a forum with global security experts at which Russian officials again asserted that there was no evidence their hackers were responsible for attacks that have led to American sanctions and indictments.
Security companies have been a frequent target for nation-states and hackers, in part because their tools maintain deep-level access to corporate and government clients around the world. By hacking those tools and stealing source code, spies and hackers can gain a foothold into victims' systems.
McAfee, Symantec, and Trend Micro were among the list of major security companies whose code a Russian-speaking hacker group claimed to have stolen last year. Kaspersky, the Russian security firm, was hacked by Israeli hackers in 2017. And in 2012, Symantec confirmed that a segment of its antivirus source code was stolen by hackers.
Source: TheNewYorkTimes
Leave a Comment
Comments are reviewed before publishing.