Ride the Lightning

Leading Cybersecurity Firm FireEye Hacked, Likely by the Russians

December 9, 2020

The New York Times (sub.req.) reported on December 8 that cybersecurity firm FireEye, often the first company to be called by major league companies and governments after a hack, has been hacked itself.

FireEye revealed on December 8 that its own systems were compromised by what it called "a nation with top-tier offensive capabilities." The company said hackers used "novel techniques" to make off with its own tool kit, which could be helpful in mounting new attacks around the world. Who is responsible? Likely, it was Russia's intelligence agencies.

FireEye has called in the FBI. The $3.5 billion company declined to say explicitly who was responsible. But its description, and the fact that the FBI has turned the case over to its Russia specialists, left little doubt who the leading suspects were and that they were after what the company calls "Red Team tools."

These are digital tools that replicate the most sophisticated hacking tools in the world. FireEye uses the tools, with the permission of a client company or government agency, to search for vulnerabilities in their systems. Most of the tools are based in a digital vault that FireEye closely guards.

The story suggests that Russian intelligence agencies saw an advantage in mounting the attack while American attention, including FireEye's, was focused on securing the presidential election system.

The hack was the biggest known theft of cybersecurity tools since those of the National Security Agency were stolen in 2016 by a still-unidentified group that calls itself the ShadowBrokers. That group dumped the NSA's hacking tools online over several months, giving nation-states and hackers the "keys to the digital kingdom," as one former NSA operator put it. North Korea and Russia ultimately used the tools in destructive attacks on government agencies, hospitals and the world's biggest conglomerates – the attacks cost more than $10 billion.

The NSA's tool may have been more helpful since they were building purpose-made digital weapons. In contrast, FireEye's Red Team tools are essentially built from malware that the company has seen used in a wide range of attacks.

However, the advantage of using stolen weapons is that nation-states can hide their own tracks when they launch attacks. This gives them plausible deniability.

The breach will almost certainly be a black eye for FireEye.

In the FireEye attack, the hackers went to great lengths to avoid being seen. They created several thousand internet protocol addresses, many inside the United States, that had never before been used in attacks. By using those addresses to stage their attack, the hackers better concealed their whereabouts.

"This attack is different from the tens of thousands of incidents we have responded to throughout the years," said Kevin Mandia, FireEye's chief executive. (He was the founder of Mandiant, a firm that FireEye acquired in 2014.)

FireEye said it was still investigating exactly how the hackers had breached its most protected systems. Details, as the NYT story says, were thin.

Mr. Mandia, a former Air Force intelligence officer, said the attackers "tailored their world-class capabilities specifically to target and attack FireEye." He said they appeared to be highly trained in "operational security" and exhibited "discipline and focus," while moving clandestinely to escape the detection of security tools and forensic examination. Google, Microsoft and other firms that conduct cybersecurity investigations said they had never seen some of these techniques.

FireEye has published key elements of its "Red Team" tools so that others around the world would see attacks coming.

American investigators are trying to determine if the attack has any relationship to another sophisticated operation that the NSA said Russia was behind in a warning issued on Monday. That gets into a type of software, called VM for virtual machines, which is used widely by defense companies and manufacturers. No one is sure whether the Russians used their success in that breach to get into FireEye's systems.

The attack on FireEye could be retaliation. The company's investigators have repeatedly called out units of the Russian military intelligence for high-profile hacks on the power grid in Ukraine and on American municipalities. They were also the first to call out the Russian hackers behind an attack that successfully dismantled the industrial safety locks at a Saudi petrochemical plant, the very last step before triggering an explosion.

This is a developing story which I will continue to watch.

Hat tip to Catherine Sanders-Reach and Dan Pinnington.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson