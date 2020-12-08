Top Cyber Security Firm FireEye Says It Has Been Hacked By Nation-State
WASHINGTON – For years, the cybersecurity company FireEye was the first call for government agencies and businesses around the world that have been hacked by, or fear, the most sophisticated attackers.
Now, it looks like the hackers – in this case, evidence points to Russian intelligence agencies – could take revenge.
FireEye revealed on Tuesday that its own systems were pierced by what it called “a nation with high-level offensive capabilities.” The company said hackers were using “new techniques” to get away with its own toolkit, which could be useful in mounting new attacks around the world.
It was a staggering theft, akin to the bank robbers who, after clearing the local coffers, turned around and stole the FBI investigative tools. In fact, FireEye said on Tuesday, moments after the market closed, that it called the FBI.
The $ 3.5 billion company, which partly makes its living identifying the culprits of some of the world’s most daring violations – its clients have included Sony and Equifax – declined to say explicitly who was responsible. But his description, and the fact that the FBI turned the matter over to its Russian specialists, leaves little doubt as to the identity of the main suspects and that they were looking for what the company calls “tools of the law”. red team ”.
They are essentially digital tools that replicate the most sophisticated hacking tools in the world. FireEye uses the tools – with permission from a corporate client or a government agency – to check for vulnerabilities in their systems. Most of the tools are based in a digital safe that FireEye closely monitors.
The hack raises the possibility that Russian intelligence agencies saw an advantage in mounting the attack as US attention – including that of FireEye – focused on securing the presidential election system. As the country’s public and private intelligence systems tracked down violations of voter registration systems or voting machines, the time may have come for Russian agencies, implicated in the 2016 election violations, to stand up. turn to other targets.
The hack was the largest known theft of cybersecurity tools since those of the National Security Agency were stolen in 2016 by a still unidentified group which calls itself the Shadow brokers. This group threw the NSA hacking tools online for several months, giving nation states and hackers the “keys to the digital realm,” as a former NSA operator put it. North Korea and Russia ultimately used stolen NSA weapons in destructive attacks on government agencies, hospitals and the world’s largest conglomerates – at a cost of more than $ 10 billion.
NSA tools were probably more useful than FireEye’s since the US government manufactures specially designed digital weapons. FireEye’s Red Team tools are essentially built from malware the company has seen used in a wide variety of attacks.
Yet the advantage of using stolen weapons is that nation states can hide their own tracks when launching attacks.
“Hackers could take advantage of FireEye’s tools to hack risky, high-level targets with plausible deniability,” said Patrick Wardle, a former NSA hacker who is now a senior security researcher at Jamf, a software company. . “In risky environments, you don’t want to burn your best tools, so this gives advanced opponents a way to use someone else’s tools without burning off their best abilities.”
A group of hackers sponsored by the Chinese state previously caught using NSA hacking tools in attacks around the world, apparently after discovering NSA tools on their own systems. “It’s just obvious,” Mr. Wardle said.
The breach is likely to be a black eye for FireEye. Its investigators worked with Sony after the devastating attack of 2014 that the firm later attributed to North Korea. It was FireEye that was called after the State Department and other US government agencies were raped by Russian hackers in 2015. And its major corporate clients include Equifax, the credit monitoring service that was hacked three years ago in a breach that affected nearly half of the American population.
In the FireEye attack, the hackers made extraordinary efforts to avoid being seen. They created several thousand Internet Protocol addresses – many in the United States – that had never been used before in attacks. By using these addresses to stage their attack, it allowed hackers to better hide their location.
“This attack is unlike the tens of thousands of incidents we’ve responded to over the years,” said Kevin Mandia, Managing Director of FireEye. (He was the founder of Mandiant, a company that FireEye acquired in 2014.)
But FireEye said it is still investigating how hackers breached its most protected systems. The details were slim.
Mr Mandia, a former Air Force intelligence officer, said the attackers “specially designed their world-class capabilities to target and attack FireEye.” He said they appeared to be highly skilled in “operational security” and exhibit “discipline and focus,” while moving stealthily to evade detection of security tools and forensic examination. Google, Microsoft and other companies that conduct cybersecurity surveys have said they have never seen some of these techniques.
FireEye has also released key pieces of its “Red Team” tools so others around the world can see attacks coming.
U.S. investigators are trying to determine if the attack has anything to do with another sophisticated operation which the NSA said Russia was late in a warning issued on Monday. This goes into a type of software, called VM for virtual machines, which is widely used by defense companies and manufacturers. The NSA declined to say who the targets of this attack were. It is not known whether the Russians used their success in this breach to enter FireEye’s systems.
The attack on FireEye could be a kind of retaliation. Company investigators have repeatedly called Russian military intelligence units – the GRU, SVR and FSB, the successor agency of the Soviet-era KGB – for high-level hacks on the power grid. in Ukraine and American municipalities. They were also the first to call the Russian pirates behind an attack that successfully dismantled industrial security locks at a Saudi petrochemical plant, the very last step before triggering an explosion.
Security firms have been a frequent target for nation states and hackers, in part because their tools maintain a deep level of access to corporate and government customers around the world. By hacking these tools and stealing the source code, spies and hackers can gain a foothold in the systems of victims.
McAfee, Symantec and Trend Micro were among the list of major security companies whose code a Russian-speaking hacker group claimed to have stolen last year. Kaspersky, the Russian security company, was hacked by Israeli hackers in 2017. And in 2012, Symantec has confirmed that a segment of its antivirus source code has been stolen by hackers.
David E. Sanger reported from Washington and Nicole Perlroth from San Francisco.
