When companies and states are attacked by hackers, Fireeye is often called in as a fire department. Now the company itself has been attacked. And the loot is likely to give the world a lot of headache.
They are a kind of digital security service. If a company or a government institution is attacked, the experts from Fireeye are quickly on the spot. They analyze the hack, plug holes and search for the culprits. The attack on the security company that has now been discovered is therefore quite a shock. Especially since a state actor is suspected behind it.
“This attack is different from the tens of thousands of incidents that we have investigated over the years,” explains company boss Kevin Mandia on the company’s blog. How serious the situation is is shown by the fact that he spoke up there for the first time. Because the hack is not an accident by some online blackmailer, Mandia is certain: “The attackers have bundled their skills on a world-class level to attack Fireeye.”
Only a state actor is conceivable as a mastermind, explains Mandia. Because only they could operate at this extremely high level. The attack was carried out with a high degree of precession and with well-hidden methods that specifically circumvented the experts’ numerous security measures. That was the result of an investigation carried out together with an investigation team from the FBI. “They used a novel combination of techniques that we and our partners have never seen before.”
That these are state actors can also be read from the selection of the stolen data. The attackers were primarily interested in the information on government customers of the company. Fireeye, which was partly funded by the CIA investment firm In-Q-Tel, is often the first port of call for attacks on government agencies because of its high level of expertise. However, there were no signs that the attackers actually succeeded in accessing customer data from the servers, Mandia explained.
The danger has not yet been averted
In return, they made valuable booty elsewhere, the company’s boss admitted contrite. The hackers succeeded in tapping “tools” from the so-called Red Team. This is the term used to describe hackers who proceed within the company like an external attack in order to uncover security gaps. The only thing that distinguishes them from actual attackers is their motivation, not their approach. The tools they use can be used for attacks on third parties in the same way as programs developed by malicious hackers.
It is worrying that those who can hack an extremely well-secured company like Fireeye now have other sophisticated tools at their disposal. The last threat of this magnitude came when the NSA’s attack tools were stolen by a group called “Shadow Brokers” and offered on the Darknet in 2016. No wonder Fireeye does everything possible to reduce the risk posed by its own software. The experts have published numerous signatures with which the use of the stolen programs can be recognized, and there are also instructions for countermeasures. So far, there doesn’t seem to be any signs of abuse.
The trail leads to Russia
Fireeye has not yet publicly expressed any suspicion as to which state is exactly behind the attack. There is a tip from the FBI. According to a report in the “New York Times”, the US Federal Police did not want to comment on the origin either, but internally the investigation was transferred to the Russia department. If Russia is actually behind action, it could also be about open accounts. “Revenge is important for Russians,” the newspaper quotes security expert James A. Lewis. Fireeye had repeatedly named Russian groups headed by the military secret service GRU as the mastermind behind attacks. With the hack and the stolen tools, you can now expose the enemy, so Lewis. “Suddenly Fireeye’s customers are vulnerable.”