FireEye hack: Cybersecurity firm says nation-state stole attacking tools

Major cybersecurity firm FireEye has been hit by a cyberattack, with hackers stealing its attack test tools in a targeted heist, the company said in a blog post Tuesday. CEO Kevin Mandia said the hack most likely came from a nation-state attacker. 

The hack hit one of the largest cybersecurity companies in the US. FireEye has investigated prominent cyberattacks including the Equifax breach and the Democratic National Committee hack. The hackers stole FireEye's "Red Team" tools, a collection of malware and exploits used to test customers' vulnerabilities. Mandia said none of the tools was a zero-day exploit (a vulnerability that doesn't have a fix). 

"Based on my 25 years in cyber security and responding to incidents, I've concluded we are witnessing an attack by a nation with top-tier offensive capabilities," Mandia said in his post. "This attack is different from the tens of thousands of incidents we have responded to throughout the years. The attackers tailored their world-class capabilities specifically to target and attack FireEye."

The firm said it's working with the FBI to determine how it was hacked, as well as with partners like Microsoft.

"The FBI is investigating the incident, and preliminary indications show an actor with a high level of sophistication consistent with a nation-state," said the FBI Cyber Division's assistant director, Matt Gorham.

Microsoft confirmed that it's assisting with the investigation and noted that the hackers used a rare combination of techniques to steal FireEye's tools. 

"This incident demonstrates why the security industry must work together to defend against and respond to threats posed by well-funded adversaries using novel and sophisticated attack techniques," Microsoft said in a statement. "We commend FireEye for their disclosure and collaboration, so that we can all be better prepared."

Mandia said FireEye hasn't seen any evidence that its stolen tools have been used, but the company will continue to monitor for any activity. FireEye has also released countermeasures for its own attacking tools on GitHub.

In a Securities and Exchange Commission filing, FireEye noted that the attacker's methods were highly sophisticated, using techniques that would cover tracks and make any forensics investigations difficult. The combination of techniques hadn't been seen before by the company, Mandia said. 

Cybersecurity companies aren't immune to hacks just because it's their job to defend against them. Firms like Symantec, Kaspersky and Trend Micro have all suffered attacks in the past. 

In 2017, a group of hackers stole cyberattack tools from the US National Security Agency, which allowed for rampant hacks like the WannaCry ransomware campaign. 

FireEye said it hasn't seen any evidence that the hackers stole data from the company or took any information about its customers.

"This news about FireEye is especially concerning because reportedly a nation-state actor made off with advanced tools that could help them mount future attacks," Rep. Adam Schiff, chairman of the House Select committee on Intelligence, said. "We have asked the relevant intelligence agencies to brief the committee in the coming days about this attack, any vulnerabilities that may arise from it, and actions to mitigate the impacts."  

Sen. Mark Warner, a Democrat from Virginia and co-chair of the Senate Cybersecurity Caucus, commended FireEye for disclosing the attack, and urged other potential victims to do the same. 

"We have come to expect and demand that companies take real steps to secure their systems, but this case also shows the difficulty of stopping determined nation-state hackers," Warner said. "As we have with critical infrastructure, we have to rethink the kind of cyber assistance the government provides to American companies in key sectors on which we all rely."