Many federal agencies in the U.S. depend on FireEye's defensive capabilities to protect sensitive information from hackers. But Now, FireEye, supposed to be the top cybersecurity firm, has been hacked with all evidence pointing to a nation-state with "top-tier offensive capabilities" or in this case Russia.
While it is not clear if the hackers were able to get away with any government data, FireEye confirmed that the attackers stole the company's security toolkit called "Red Team tools" that can be used for future cyber-attacks. The primary target as per the company was to steal information on its government clients that include the Federal Bureau of Investigation (FBI) and the National Security Agency (NSA) among many others.
"During our investigation to date, we have found that the attacker targeted and accessed certain Red Team assessment tools that we use to test our customers' security. None of the tools contain zero-day exploits," FireEye CEO Kevin Mandia said in a blog post, adding that the firm was taking measures to detect the use of the stolen tools.
Who Were Behind The Attack?
FireEye, however, refrained from taking Russia's name, when the company handed over the case to the FBI, the agency tasked its Russia specialists for the job. The FBI too didn't name any country but said that the "high level of sophistication was consistent with a nation-state." However, the hackers took extraordinary measures to conceal their identities. According to the New York Times, the attackers created several thousands of Internet Protocol (IP) addresses that were not used before. Many of the IP addresses were from the U.S. and it helped them avoid detection and hide their whereabouts.
However, the breach is likely to ruffle few feathers as the attack exposes a potential weakness in FireEye's defense even though the company claims to have faced a sophisticated cyberattack. The stolen tools that include "scripts used for automating reconnaissance" and frameworks similar to publicly available tools such as CobaltStrike and Metasploit will also have to be monitored closely.
"We are not sure if the attacker intends to use our Red Team tools or to publicly disclose them. Nevertheless, out of an abundance of caution, we have developed more than 300 countermeasures for our customers, and the community at large, to use in order to minimize the potential impact of the theft of these tools," Mandia said, adding that the tools haven't been used in any other attack yet.
What Are The Implications?
Not so long ago the NSA had faced a similar breach and its prized hacking tools were plundered and shared online by an unidentified group named ShadowBroker. Cybersecurity firm Symantec in a report claimed that Chinese hacker group Buckeye had some of the tools named 'EternalBlue', 'Bemstour' and 'DoublePulsar' to exploit Windows vulnerabilities. Since 2016, Russian, Chinese and North Korean hacker groups have allegedly used those digital weapons to attack government agencies, company networks and the healthcare system, inflicting an estimated loss of $10 billion.
While FireEye's toolkits may not be as powerful as NSA's, the tools will likely appear online or be used by attackers to break into other networks in the future. Then there is the factor of trust in FireEye's defensive capabilities. Following the 2016 U.S. Presidential Election, American intelligence agencies accused Russia of meddling in the polling process.
Since then, federal agencies have their cybersecurity measures strengthened to prevent future breaches. Barring a few attacks involving zero-day exploits, defensive tactics have been successful. Even Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) said that the 2020 Presidential Election was one of the most secure ones. However, as a section of American voters still doubting the election results, FireEye's breach would definitely raise more questions on the security of the process.