FireEye which happens to be one of the largest cybersecurity companies in the United States said on Tuesday that it’s system has been compromised and its hacking tools used to test the defenses of its clients had been stolen but hinted the attacker could be a government.
The company has an array of contracts throughout the country’s cyber security sector as well as the US allies. With the recent attack, FireEye saw its share dropped 8% in after-hours trading.
The big security breach was disclosed in a public filling with the Securities and Exchange Commission citing the company’s CEO Kevin Mandia.
According to a blog post from FireEye, the company said the red team tools were stolen as part of a highly sophisticated, likely government-backed hacking operation which uses unseen techniques.
The initial time of hacking wasn’t specified but according to an individual close to the event stated the company has been resetting user passwords over the past two weeks.
Beyond the tool theft, the hackers also appeared to be interested in a subset of FireEye customers: government agencies.
According to the chairman of the House of Intelligence Committee, Rep. Adam Schiff, he said he would request for more information.
“We have asked the relevant intelligence agencies to brief the Committee in the coming days about this attack, any vulnerabilities that may arise from it, and actions to mitigate the impacts.” Schiff said.
But there is no evidence that the FireEye’s hacking tools stolen have been used or any of its client’s data being stolen but the Federal Bureau of Investigation (FBI) and Microsoft are helping to investigate.
“The FBI is investigating the incident and preliminary indications show an actor with a high level of sophistication consistent with a nation state,” said Matt Gorham, assistant FBI director for the Cyber Division.
According to a former Defense Department official who is familiar with the case stated that Russia was on his list of suspects.
Russian government meddling with the US election had always been a top concern for security agencies in the country and so some Russian hacking techniques were exposed by US officials.
FireEye isn’t the first to be compromised as other big names like Bit9, Kaspersky Lab and even RSA have all be successfully hacked out in the past.
“Plenty of similar companies have also been popped like this,” said a Western security official who asked not to be named.
“The goal of these operations is typically to collect valuable intelligence that can help them defeat security countermeasures and enable hacking of organizations all over the world,” said Dmitri Alperovitch, co-founder and former chief technology officer at top rival CrowdStrike.
FireEye disclosing what happened and which tools were taken is “helping to minimize the chances of others getting compromised as a result of this breach.”
The company however stated it was working on to shore up defenses against its own tools by using different software makers as well as releasing countermeasures publicly.
Those showed that the tools uses modified versions of public programs, said Vincent Liu, chief executive of security firm Bishop Fox and a former National Security Agency analyst.
According to the company’s CEO Mandia stated that none of the red team tools exploited the so-called “zero-day vulnerabilities”
Past hacking attacks on government agencies and contractors have captured such higher-value hacking tools, and some of those tools have been published, wrecking their effectiveness as defenses are put in place.
In the past, both the NSA and CIA have been compromised with Russia being the key suspect. Meanwhile there have been Russian and Iranian tools that were published after being hacked while private surveillance software makers have also been targeted.
Some experts said it is hard to estimate the impact of a tool leak that focuses on known software vulnerabilities, but it could make attackers’ jobs easier.
“Exploitation tools in the wrong hands will lead to more victimization of people who don’t see it coming, and there’s already enough problems like that,” said Paul Ferguson, threat intelligence principal at security company Gigamon. “We don’t really need more exploitation tools floating around making it easier – look at ransomware.”
Whenever private companies learn of a vulnerability in their software products, they often offer a “patch” or upgrade that nullifies the issue. But many users do not install these patches at once, and some do not for months or longer and that can get their software to be vulnerable to attacks.