FireEye built its reputation for defending high-stake clients against hackers. Today, the cybersecurity firm admitted that it itself had been breached – and that the attackers fled with some of its offensive tools. It’s a surprising admission, but certainly not as devastating as it might seem at first glance.
Like many cybersecurity companies, FireEye uses its “red team” tools to mimic those used in real attacks and scan for vulnerabilities in its customers’ digital systems just as real adversaries would. The company is able to update and refine its methods as it encounters and investigates real state and criminal hacking tools while helping clients respond to incidents. But it is still a long way to invest in developing a new offensive arsenal – and not as scary as the tools available to, for example, the National Security Agency.
FireEye CEO Kevin Mandia said in a blog post today that the company had faced fallout from an “attack by a country with high-level offensive capabilities” and had enlisted Federal assistance. Bureau of Investigation with industry peers like Microsoft. . The Washington Post reported Tuesday that the pirates of a group known as the APT 29 or Cozy Bear, attributed to the Russian foreign intelligence service SVR, made the breach.
FireEye has both global significance and a history of engagement with Russian actors. The company was the first, for example, to link the group of hackers known as Sandworm-responsible for power outages in Ukraine in 2015 and 2016 as good as hyperdestructive worm NotPetya the following year – to Unit 74455 of the Russian military intelligence agency GRU. FireEye also provided the first public evidence that the same GRU unit was responsible for the 2018 Winter Olympics sabotage attempt. All of these attacks were then named in a US indictment against six Sandworm hackers unveiled in October.
The seemingly retaliatory hack sends a clear statement that while Russia may have been relatively calm in the US presidential election, the Kremlin’s digital prowess remains formidable. At the same time, the fallout from hacking does not compare to the release of tools like the The NSA’s Eternal Blue Tool, which a mysterious group called the Shadow Brokers leaked in 2017, or the violation of Exploit the broker’s hacking team in 2015.
“The most important data a company like FireEye has is data about its customers. The second most important data they have are the sources and methods they use to protect their clients, ”such as threat intelligence data, says Richard Bejtlich, former director of security for Mandiant, the response division. FireEye Incidents and Senior Network Security Strategist. Corelight analysis firm. “Further, are the tools of the red team, where they imitate the opponents.”
FireEye said on Tuesday that none of the Red Team’s stolen tools use so-called zero-day exploits – mechanisms that militated covert and unpatched software vulnerabilities, making them particularly dangerous. Still, Russia could use the tools itself, share them with others, or disclose them publicly. The company said it does not yet fully understand the hackers’ plans or motivations, although they have mainly focused their attack on information related to certain government clients of FireEye.
Mandia has repeatedly pointed out that FireEye offers more than 300 “countermeasures” designed to make it harder for Russia to use stolen hacking tools effectively. The company incorporated these digital antidotes, essentially detection mechanisms and blocking tools, into its own security products, shared them with other companies, and published them publicly.