US cyber security vendor FireEye has fallen victim to a state-sponsored cyber attack, likely from Russian intelligence.
The irony-laden incident was confirmed by FireEye on Wednesday morning with the company also admitting that attackers got hold of offensive tools FireEye uses to test its customers’ security.
FireEye CEO Kevin Mandia said the attackers had “world-class capabilities”.
“Based on my 25 years in cyber security and responding to incidents, I’ve concluded we are witnessing an attack by a nation with top-tier offensive capabilities,” Mandia said.
“They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination.”
FireEye has contracts with US governments and just last week boasted about its partnership with Amazon Web Services (AWS) to “deliver advanced security” for government agencies in the cloud.
Mandia admitted the bad actors “primarily sought information related to certain government customers” but said there was no evidence of stolen customer data.
“If we discover that customer information was taken, we will contact them directly,” Mandia said.
FireEye has called in the US Federal Bureau of Investigations (FBI) to help investigate the incident.
The New York Times understands the FBI is using its Russian specialists for the case and an anonymous source close to the matter told the Washington Post it did appear to be an attack from Russian intelligence.
Aside from concern that a government-contracted cyber security agency was breached, the attackers also stole FireEye’s suite of offensive tools.
These ‘red team’ tools are used to emulate attacks on FireEye customers to test for weakness and responsiveness.
Mandia said there was no evidence its tools had yet been used by attackers.
“Nevertheless, out of an abundance of caution, we have developed more than 300 countermeasures for our customers, and the community at large, to use in order to minimise the potential impact of the theft of these tools,” he said.
The company published its countermeasures on GitHub which includes a set of common vulnerabilities and exposures (CVEs) along with YARA rules and signatures for the company’s malware tools.
Hackers have previously used stolen tools to augment existing operations, as was notoriously the case following a data breach at the US National Security Agency (NSA).
One of those NSA exploits, EternalBlue, was used to infect machines with the WannaCry ransomware.
Mandia said none of the stolen FireEye tools contained zero-day exploits.