The gunsmith was robbed: the company FireEye, an American heavyweight in cybersecurity and one of the world leaders in the hunt for state hackers, saw at least some of its offensive tools stolen by hackers. An event of rare magnitude in the world of cybersecurity.
How the hackers operated to penetrate this flagship of computer security has not been made public, nor has the exact date of the attack. “We were recently attacked by a highly sophisticated actor whose discipline, operational security and techniques lead us to believe that he was supported by a State”, CEO and founder of the company, Kevin Mandia wrote in a statement., Tuesday December 8.
FBI investigation underway
FireEye, close to the American intelligence services, notably offers companies lucrative consulting services to strengthen their computer networks. To this end, the company is developing computer attack tools in order to test the defenses of its customers and to ensure that they are likely to resist all attacks, including the most advanced. At least some of these tools have been stolen by hackers.
FireEye has also made a name for itself since the early 2010s, analyzing high-level computer attacks and exposing hacker techniques and tools. In doing so, she uncovered numerous espionage operations, notably Russian ones.
The attack is taken very seriously by the authorities. The US federal police, the FBI, took the rare initiative to confirm that an investigation was underway and provided initial evidence on the suspects. “The first indications show an actor with a high level of sophistication, consistent with a nation-state”, said Matt Gorham, Deputy Director of the Police Department’s Computer Attack Division.
No “zero day” flaws
The impact of the attack is however still difficult to assess. Its main risk: that the offensive tools of FireEye are now used by hackers to carry out attacks.
The announcement of this hack immediately resurfaced the specter of the Shadow Brokers, this group of unknown hackers. who published, in 2016, some tools stolen from the National Security Agency (NSA), the US agency responsible for digital intelligence. They were then incorporated in May and June 2017 by hackers affiliated with North Korea and Russia in two large-scale computer attacks: WannaCry and NotPetya, causing extensive damage all over the world.
FireEye has made freely available technical elements allowing companies to detect the use of these tools and counter their effects.
The theft of FireEye’s tools is unlikely to produce such dramatic effects. At this stage, the company explains that it has not detected the use of its stolen tools against other targets. In addition, FireEye has made free access to technical elements allowing companies to detect the use of these tools and counter their effects. The company also specified that, among the stolen tools did not include software exploiting « zero day », these unknown computer vulnerabilities and not yet addressed.
The objective of the pirates is unclear. Did they want to acquire new digital weapons? Will they keep them to themselves or post them online? Was this a retaliatory measure against the company, known to regularly disrupt the activity of spies in cyberspace? The offensive tools being supposed to replicate the activity of real hackers, did the latter want to gauge the real abilities of FireEye to detect them? Was their primary focus just to get information about some of FireEye’s most sensitive customers?
It is, at this point, too early to tell. Kevin Mandia, the boss of FireEye, however claimed “To have no proof” that customer data was leaked during the attack. This while FireEye advises and intervenes with dozens of ministries and administrations in the main Western countries, and collects, as part of its response, analysis and preparation activities for cyber attacks, large amounts of sensitive information.
“A nation with high-level capabilities”
The American press, echoing anonymous sources, pointed Tuesday the responsibility of the Russian Foreign Intelligence Service, the SVR, whose hackers are best known to cybersecurity experts under the pseudonym Cozy Bear or APT29. A discreet and effective counterpart to Fancy Bear, attached to Russian Military Intelligence (GRU), the Cozy Bear hacker group specializes in high-level espionage, with a strong interest in Western governments: for example, it had targeted Hillary Clinton’s campaign in 2016, without however, after this espionage operation, making the information obtained public.
“The attackers are perfectly trained and operated with discipline and concentration,” said Mandia
For FireEye, there is little doubt that the attack she suffered was the work of“A nation endowed with high-level offensive capabilities”. “The attack is unlike the tens of thousands we have worked on for years. Attackers have adapted their world-class abilities specifically to aim and attack FireEye. They are well trained and operated with discipline and focus. They acted clandestinely, using methods escaping detection tools and several techniques that we had never seen in the past ”, Kevin Mandia detailed on the company’s website.
Although companies like FireEye specialize in computer security, they are also prime targets for hackers. FireEye’s Russian-born counterpart, Kaspersky, had thus been penetrated by hackers, presumably Israeli, in 2017. These companies are doubly interesting for hackers. They firstly house information on their clients, sometimes extremely detailed and relating in particular to their defense mechanisms. Then, they carry out de facto counter-espionage operations in cyberspace by exposing the activities of the most sophisticated intelligence services. Enough to cringe some teeth.