FireEye, one of the largest cybersecurity firms in the US, says it believes it’s been the victim of a state-sponsored hacking attack that saw the theft of internal tools it uses to conduct penetration testing for other companies. “Recently, we were attacked by a highly sophisticated threat actor, one whose discipline, operational security and techniques lead us to believe it was a state-sponsored attack,” Kevin Mandia, the CEO of FireEye said in a blog post detailing the incident. “This attack is different from the tens of thousands of incidents we have responded to throughout the years.” Mandia didn’t say when the attack happened.
FireEye has a variety of clients in the national security space both in the US and abroad. After the disclosure, the Cybersecurity and Infrastructure Security Agency (CISA) published a bulletin, advising cybersecurity specialists to get up to speed with the incident.
The company says none of the stolen tools include zero-day exploits — that is a vulnerability that doesn’t have a fix yet. There’s also no evidence yet to suggest the tools have been used in the wild, or that whoever was behind the attack was able to obtain any client data. But just to be safe, FireEye has shared countermeasures that can detect or block the use of its stolen tools. Those countermeasures are publicly available on GitHub. The company is also working with Microsoft and the FBI to investigate what happened. “We are not sure if the attacker intends to use our Red Team tools or to publicly disclose them,” Mandia said.
According to The Washington Post, APT29 (otherwise known as Cozy Bear), a hacker group that’s believed to be associated with Russia’s Foreign Intelligence Service, is likely behind the attack. That’s the same group that hacked the servers of the Democratic National Committee ahead of the 2016 presidential election.
“This incident demonstrates why the security industry must work together to defend against and respond to threats posed by well-funded adversaries using novel and sophisticated attack techniques,” a Microsoft spokesperson told Reuters.
As The New York Times points out, this is the largest known theft of cybersecurity tools since the National Security Agency was hacked by a group known as The Shadow Brokers. Out of that attack came WannaCry, which Russia and North Korea used to conduct ransomware attacks on hospitals, businesses and other organizations.