Hackers attack US cyber-security firm FireEye; Russia suspected

FireEye's chief executive Kevin Mandia said the attackers were a "nation with top-tier offensive capabilities", and that they made off with sensitive tools used by the company. PHOTO: REUTERS
FireEye's chief executive Kevin Mandia said the attackers were a "nation with top-tier offensive capabilities", and that they made off with sensitive tools used by the company. PHOTO: REUTERS

WASHINGTON • FireEye, one of the largest US cyber-security companies, said yesterday that it had been hacked, possibly by a foreign adversary.

The attackers made off with sensitive tools that FireEye uses to find vulnerabilities in clients' computer networks.

The attackers were a "nation with top-tier offensive capabilities", said chief executive officer Kevin Mandia.

He did not identify the country suspected in the attack, but a person familiar with the incident said investigators believe hackers closely aligned with the Russian government were behind it.

The hackers "tailored their world-class capabilities specifically to target and attack FireEye", said Mr Mandia in a company blog on Tuesday. "They are highly trained in operational security and executed with discipline and focus."

The motive for the attack was not clear, but the company said "red team tools" were stolen.

Red team tools mimic the behaviour of hackers and enable FireEye to provide "diagnostic security services" to customers. So far, the company had not seen evidence that anyone had used the tools in an attack.

There is no evidence that FireEye's hacking tools have been used or that client data was stolen. But the Federal Bureau of Investigation (FBI) and Microsoft said they are investigating.

The FBI's cyber division assistant director Matt Gorham said that preliminary indications "show an actor with a high level of sophistication consistent with a nation state".

Beyond the tool theft, the hackers also appeared to be interested in a subset of FireEye customers: government agencies.

A former Defence Department official familiar with the case said that Russia was high on the early list of suspects. In the run-up to the US presidential election, US officials exposed some Russian hacking techniques.

The attack on FireEye could also be a retaliation of sorts as the company's investigators have often called out units of the Russian military intelligence - the GRU, the SVR and the FSB, the successor agency to the Soviet-era KGB - for high-profile hacking attacks on the power grid in Ukraine and on American municipalities.

They were also the first to call out the Russian hackers behind an attack that successfully dismantled the industrial safety locks at a Saudi petrochemical plant, the very last step before triggering an explosion.

"The Russians believe in revenge," said cyber-security expert James A. Lewis at the Centre for Strategic and International Studies in Washington. "Suddenly, FireEye's customers are vulnerable."

Other security companies have been successfully hacked before, including Bit9, Kaspersky Lab and RSA, underscoring the difficulty in keeping anything digital away from the most sophisticated hackers.

Based in California, FireEye protects more than 1,000 government and law enforcement agencies, according to its website.

"Plenty of similar companies have also been popped like this," said a Western security official who asked not to be named.

Mr Dmitri Alperovitch, co-founder and former chief technology officer at top rival CrowdStrike, said: "The goal of these operations is typically to collect valuable intelligence that can help them defeat security countermeasures and enable hacking of organisations all over the world."

The hacking was discovered in recent weeks after a suspicious log-in was found to have surpassed the two-factor authentication requirement on the company's virtual private network, according to FireEye.

The attackers carried out the hacking from two dozen IP addresses based in the United States, none of which has been detected as part of a cyber attack before - the type of sophisticated tactics that led FireEye to believe a foreign intelligence service was behind the incident.

FireEye said it has been working to shore up defences against its own tools with different software makers, and it released countermeasures publicly.

Mr Mandia wrote that none of the red team tools exploited so-called "zero-day vulnerabilities", meaning the relevant flaws should already be public.

REUTERS, BLOOMBERG, NYTIMES

A version of this article appeared in the print edition of The Straits Times on December 10, 2020, with the headline 'Hackers attack US cyber-security firm FireEye; Russia suspected'. Subscribe