By Frank Bajak and Matt O’Brien | Associated Press
BOSTON — Prominent U.S. cybersecurity firm FireEye said Tuesday that it was hacked by what could only be a government with “world-class capabilities,” and the hackers stole tools the company uses to test the strength of customers’ defenses.
“I’ve concluded we are witnessing an attack by a nation with top-tier offensive capabilities,” FireEye CEO Kevin Mandia said in a statement. “This attack is different from the tens of thousands of incidents we have responded to throughout the years.”
He did not indicate who might be responsible or say when the company detected the hack. Phone calls to company officials were not immediately returned.
The stolen “red team” tools could be dangerous in the wrong hands, though FireEye said there’s no indication they have been used. The company said it developed 300 countermeasures to protect customers and others from them and was making them immediately available.
The hackers “primarily sought information related to certain government customers,” Mandia said, without naming them. He said there was no indication that customer information obtained from FireEye’s consulting or incident-response businesses were accessed by the hackers.
Based in Milpitas, California, the publicly traded cybersecurity company has been at the forefront of investigating sophisticated state-backed backing groups, including Russian groups trying to break into state and local governments in the U.S. that administer elections. It counts many of those state and local governments among its customers.
Among attributions credited to FireEye was that Russian military hackers were behind 2015 and 2016 mid-winter attacks on Ukraine’s energy grid.
FireEye said it is investigating the attack in coordination with the FBI and other partners such as Microsoft, which has its own cybersecurity team. Mandia said the hackers used “a novel combination of techniques not witnessed by us or our partners in the past.”
Matt Gorham, assistant director of the FBI’s cyber division, said “preliminary indications show an actor with a high level of sophistication consistent with a nation state” was involved. He said the government is “focused on imposing risk and consequences on malicious cyber actors, so they think twice before attempting an intrusion in the first place.”
That has included what the U.S. Cyber Command terms “defending forward” operations, which include penetrating networks of adversaries, including Russia.
The nation’s Cybersecurity and Infrastructure Security Agency said Tuesday that it has not received reporting of FireEye’s stolen tools being used maliciously, but warned that “unauthorized third-party users could abuse these tools to take control of targeted systems.”
U.S. Sen. Mark Warner, a Virginia Democrat on the Senate’s intelligence committee, applauded FireEye for quickly disclosing the intrusion.
“We have come to expect and demand that companies take real steps to secure their systems, but this case also shows the difficulty of stopping determined nation-state hackers,” Warner said in a statement.
Cybersecurity expert Dmitri Alperovitch said he was not surprised by the announcement because companies like FireEye are top targets.
“Every security company is being targeted by nation-state actors. This has been going on got over a decade now,” said Alperovitch, the co-founder and former chief technical officer of Crowdstrike, which investigated the 2016 Russian hack of the Democratic National Committee and Hillary Clinton’s campaign.
He said the release of the “red-team” tools, while a serious concern, was “not the end of the world because threat actors always create new tools.”
“This could have been much worse if their customer data had been hacked and exfiltrated. So far there is no evidence of that,” Alperovitch said.
O’Brien reported from Providence, Rhode Island. Associated Press writer Eric Tucker in Washington contributed to this report.