As cyber security professionals, we constantly remind the people around us that it’s not if a cyber attack will happen, it’s when a cyber attack will take place. No organisation is exempt from at least an attempt to hack them, and the FireEye cyber attack, on one of the world’s leading cybersecurity firms is no exception.
FireEye announced this week that the company was breached by attackers. Without naming names, they also said that the attackers were a nation state with top-tier attacking ability (some commentators suggest Russian state agencies were behind the attack). Of most concern, the FireEye cyber attack used never seen before techniques to grab FireEye’s toolkit. The concern is whether they can be used in future attacks on FireEye’s customers, or other organisations.
FireEye are more used to being the protector, not the victim. As well as several governments and government agencies around the world, they are used by high profile international companies who have turned to them when they have suffered a cyber attack. FireEye worked with Sony after they were attacked by North Korea in 2014, and with Equifax who suffered a major data breach in 2017, affecting millions of individuals worldwide.
The FireEye cyber attack put them on the other side. As an attack on one of the most respected cybersecurity companies in the world, this breach will have significance for the entire cybersecurity community.
What happened in the FireEye cyber attack?
FireEye’s CEO Kevin Mandia released a blog setting out FireEye’s story. In this blog, he wrote that the attackers were able to get hold of FireEye’s ‘Red Team Tools’, the tools that they use to replicate hacking tools when they are testing their clients’ systems. These tools were built by FireEye based on their cybersecurity work. They don’t contain any zero-day exploits (attacks for which there aren’t any solutions), and FireEye say that they are of limited use to a threat actor.
Mandia was also quick to point out that the attackers tried to access information about government customers, but that to date they can’t see any evidence that the attackers were able to access any customer information.
The FireEye cyber attack: sophisticated and new
The FireEye hack is a hack at the highest level. The attack was carried out by a team of sophisticated threat actors, who showed incredible discipline and operational security, and used techniques that FireEye have never seen before. This was a targeted attack tailored specifically to attack FireEye.
In order to carry out the attack, they created several thousand internet protocol (IP) addresses which had never been used in attacks before so they were entirely off the radar. Many of these IP addresses were US based addresses, hiding their location, and not raising red flags. They appear to have used considerable experience to move clandestinely through FireEye’s systems and avoid detection.
Why were FireEye hacked?
This FireEye cyber attack has echoes of an attack way back in 2011. In that case stolen data from a cyber attack on RSA Security was then used to attack defence contractor Lockheed Martin. The threat actors had stolen SecurID authentication tokens and then used them on one of the company’s high profile customers. At the time it was felt that the purpose of the attack on RSA Security was solely to access information pertaining to defence contractors.
While the motive of the FireEye hack is unknown, it could well be that their customer list of governments and their agencies are in fact the ultimate target. That could be why FireEye responded the way they did. In the aftermath of the attack, FireEye published key parts of their stolen Red Team tools, and also released information of over 300 countermeasures to enable organisations to recognise their tools should they encounter them in the wild, and arm themselves against an attack using the stolen tools.
The importance of cybersecurity protection
This attack is significant as it shows that no organisation is exempt from attack. It also shows just how far threat actors are willing to go in order to breach an organisation’s defences.
In the FireEye cyber attack, their Red Team Tools may have been stolen, but their defences were able to prevent the attackers from accessing customer information, which would have had far more significant consequences for FireEye, their customers, and cybersecurity as a whole.
Infrastructure and network security is key to ensuring that when a cyber attack does occur, the impacts are limited as far as possible, and the organisation is able to get back to business as usual as fast as possible.