Now cybersecurity firm FireEye hit by nation-state hackers

In a disturbing trend, global cyber security company FireEye has revealed it was attacked by highly sophisticated state-sponsored threat actors who accessed its internal network and stole hacking tools the company uses to test the networks of its customers.

During its investigation, the US-based firm found that the attacker targeted and accessed certain Red Team assessment tools that is uses to test its customers’ security.

“These tools mimic the behaviour of many cyber threat actors and enable FireEye to provide essential diagnostic security services to our customers,” FireEye CEO Kevin Mandia said in a statement on Tuesday.

“None of the tools contain zero-day exploits. Consistent with our goal to protect the community, we are proactively releasing methods and means to detect the use of our stolen Red Team tools,” Mandia added.

Late last month, another leading cyber security company Sophos notified some customers via email about a data security breach, saying a small subset of customers were affected. The data exposure included details such as customers’ first and last names, email addresses and phone numbers (wherever provided).

According to Mandia, they are witnessing an attack by a nation with top-tier offensive capabilities.

“They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past,” he explained.

FireEye said it was investigating the attack in coordination with the Federal Bureau of Investigation (FBI and other key partners, including Microsoft.

“Their initial analysis supports our conclusion that this was the work of a highly sophisticated state-sponsored attacker utilising novel techniques”.

The company said it is not sure if the attacker intends to use its Red Team tools or to publicly disclose them.

“Nevertheless, out of an abundance of caution, we have developed more than 300 countermeasures for our customers, and the community at large, to use in order to minimise the potential impact of the theft of these tools,” Mandia noted.

Consistent with a nation-state cyber-espionage effort, the attacker primarily sought information related to certain government customers.

“While the attacker was able to access some of our internal systems, at this point in our investigation, we have seen no evidence that the attacker exfiltrated data from our primary systems that store customer information from our incident response or consulting engagements, or the metadata collected by our products in our dynamic threat intelligence systems,” the FireEye CEO explained.

“If we discover that customer information was taken, we will contact them directly”.

In another bizarre incident in November last year, global cybersecurity firm Palo Alto Networks “admitted” that the personal details of its seven current and former employees had been “inadvertently” published online by a “third-party vendor”.

The personal details of some past and present employees — their names, dates of birth and social security numbers — were exposed online.

Palo Alto Networks, however, did not divulge further details on who the third-party vendor was and how the personal details of the employees were leaked.

San Francisco-based HackerOne which itself is a vulnerability coordination and bug bounty platform and boasts of clients like Starbucks, Instagram, Goldman Sachs, Twitter and Zomato, in December last year paid $20,000 to a community user who exposed a vulnerability in its own bug bounty platform.