FireEye, a top cybersecurity firm that has built a reputation for tracking the digital fingerprints in major cyberattacks, has now become a target in a highly sophisticated attack that it says was done by a skilled nation-state.
FireEye acknowledged to The Hill and other news outlets on Tuesday that its own systems were penetrated by “a nation with top-tier offensive capabilities.”
FireEye, which was a key firm that helped track Russia’s cyberattack on the Democratic National Committee during the 2016 presidential election, did not name who it believes is behind the attack, but its description points to the Kremlin.
FireEye CEO Kevin Mandia wrote in a blog post that “based on my 25 years in cyber security and responding to incidents, I’ve concluded we are witnessing an attack by a nation with top-tier offensive capabilities.”
“We were attacked by a highly sophisticated threat actor, one whose discipline, operational security, and techniques lead us to believe it was a state-sponsored attack,” he wrote.
Mandia noted that FireEye was working with the FBI and “other key partners,” including Microsoft, to investigate the attack.
Matt Gorham, the assistant director of the FBI’s Cyber Division, said in a statement provided to The Hill that “the FBI is investigating the incident and preliminary indications show an actor with a high level of sophistication consistent with a nation state.”
“It is important to note that our adversaries are continuously looking for US networks to exploit,” Gorham said. “That is why we are focused on imposing risk and consequences on malicious cyber actors, so they think twice before attempting an intrusion in the first place; why we are focused on quickly responding to victims and providing organizations with the information they need to defend their networks; and why we encourage anyone that notices suspicious activity to notify the FBI or the USSS [U.S. Secret Service].”
Mandia wrote that the “initial analysis supports our conclusion that this was the work of a highly sophisticated state-sponsored attacker utilizing novel techniques.”
The attackers were able to access FireEye’s “Red Team” tools that are used to test customer security, according to Mandia.
While the company has not yet seen any evidence of the Red Team tools being used by the attackers, “out of an abundance of caution,” FireEye had developed more than 300 countermeasures to help minimize the potential impact of the use of these tools by the attackers.
“We have learned and continue to learn more about our adversaries as a result of this attack, and the greater security community will emerge from this incident better protected,” Mandia wrote. “We will never be deterred from doing what is right.”
This latest hack on FireEye highlights that any firm or organization can be hacked, even if it is designed to protect others from outside digital intruders.
The intrusion also comes a month after the 2020 presidential election, when the U.S. government and top cyber firms were on the alert about efforts to disrupt or sabotage the high-stakes race. And it is one of the largest hacks in recent years, following the 2016 cyberattack on the National Security Agency that armed a shadowy cyber group with key cybersecurity tools that were then dumped online and adopted by nation-states such as Russia and North Korea in later attacks.
FireEye is one of the leading cybersecurity firms in the U.S. and has built a reputation for making public nation malicious state cyber activity.
Last month, the company put out a report detailing ransomware attacks on U.S. hospitals by an Eastern European group known as UNC1878.
The report was put out in tandem with an alert sent out by U.S. federal agencies warning healthcare groups “of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.”
The company actively works to track foreign advanced persistent threat (APT) hacking groups, including exposing the Chinese APT41 group earlier this year for stepping up attacks on health care, pharmaceutical, and other groups in the early months of 2020.
The high-profile hack is causing concern among security-minded lawmakers on Capitol Hill.
“This latest hack, of FireEye, a highly respected cybersecurity company, just highlights the risky environment the internet has become for American companies,” Sen. Mark Warner (D-Va.), the top Democrat on the Senate Intelligence Committee, said in a statement to The Hill.
Warner called for the U.S. to “work closely” with U.S. allies and other western nations to develop a set standards of behavior for nations in cyberspace and then seek to enforce them once agreed upon.
He also said the U.S. must rethink its relationship with companies like FireEye if they are facing cyberattacks.
“We’re also going to rethink the relative responsibilities of companies and the U.S. government,” Warner said in part. “We have to expect, and demand, that companies take real steps to secure their systems, but this case also points out the difficulty private sector firms have stopping nation states. As we have with critical infrastructure, we have to rethink the kind of assistance the government provides to companies in key sectors on whom we all rely.”
House Intelligence Committee Chairman Adam Schiff (D-Calif.) said in a separate statement Tuesday that he had “asked the relevant intelligence agencies to brief the Committee in the coming days about this attack, any vulnerabilities that may arise from it, and actions to mitigate the impacts.”
“Foreign actors have not stopped attacking our country and its critical and cybersecurity infrastructure since 2016,” Schiff said. “In fact, they’ve continued, grown more sophisticated and only have to succeed once, while the U.S. government and companies alike have to pitch a perfect game. This news about FireEye is especially concerning because reportedly a nation-state actor made off with advanced tools that could help them mount future attacks.”
-Updated at 6:10 p.m.