Cybersecurity firm FireEye has revealed that it was recently attacked by “a highly sophisticated threat actor”. CEO Kevin Mandia said in a blog post that the attacker’s discipline, operational security, and techniques led FireEye specialists to believe it was a state-sponsored attack. FireEye is sharing the details of its investigation, to help others fight and defeat cyber attacks.
“Based on my 25 years in cyber security and responding to incidents, I’ve concluded we are witnessing an attack by a nation with top-tier offensive capabilities. This attack is different from the tens of thousands of incidents we have responded to throughout the years. The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past.
“We are actively investigating in coordination with the Federal Bureau of Investigation and other key partners, including Microsoft. Their initial analysis supports our conclusion that this was the work of a highly sophisticated state-sponsored attacker utilizing novel techniques.
“During our investigation to date, we have found that the attacker targeted and accessed certain Red Team assessment tools that we use to test our customers’ security. These tools mimic the behavior of many cyber threat actors and enable FireEye to provide essential diagnostic security services to our customers. None of the tools contain zero-day exploits. Consistent with our goal to protect the community, we are proactively releasing methods and means to detect the use of our stolen Red Team tools.
“We are not sure if the attacker intends to use our Red Team tools or to publicly disclose them. Nevertheless, out of an abundance of caution, we have developed more than 300 countermeasures for our customers, and the community at large, to use in order to minimize the potential impact of the theft of these tools.”
Mandia wrote on December 8 that the company has seen no evidence to date that any attacker has used the stolen Red Team tools, and FireEye continues to monitor for any such activity.
In response, FireEye has prepared countermeasures that can detect or block the use of the stolen Red Team tools and implemented countermeasures into its security products, which it is sharing with colleagues in the security community so that they can update their security tools. The countermeasures are also publicly available. Mandia added that FireEye will continue to share and refine any additional mitigations for the Red Team tools as they become available, both publicly and directly with the firm’s security partners.
“Consistent with a nation-state cyber-espionage effort, the attacker primarily sought information related to certain government customers. While the attacker was able to access some of our internal systems, at this point in our investigation, we have seen no evidence that the attacker exfiltrated data from our primary systems that store customer information from our incident response or consulting engagements, or the metadata collected by our products in our dynamic threat intelligence systems. If we discover that customer information was taken, we will contact them directly,” Mandia continued.
“We have learned and continue to learn more about our adversaries as a result of this attack, and the greater security community will emerge from this incident better protected. We will never be deterred from doing what is right.”