FireEye is considered one of the world’s top cyber-security firms. They are the ones that Sony hired after the infamous hack by North Korea. Now FireEye is the scene of the crime. The company announced that its own tightly guarded hacking tools, used to test security for clients around the world, has been stolen by hackers working for an unspecified nation-state. The company’s president published a blog post about it today:
Based on my 25 years in cyber security and responding to incidents, I’ve concluded we are witnessing an attack by a nation with top-tier offensive capabilities. This attack is different from the tens of thousands of incidents we have responded to throughout the years. The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past…
We are not sure if the attacker intends to use our Red Team tools or to publicly disclose them. Nevertheless, out of an abundance of caution, we have developed more than 300 countermeasures for our customers, and the community at large, to use in order to minimize the potential impact of the theft of these tools.
The tools could potentially be used to hack other companies or nations and provide some plausible deniability, but since FireEye is releasing data on all of the tools that were stolen the usefulness of the tools is somewhat limited. So what was the point of this detailed and probably expensive operation?
No one is saying who is responsible for the hack but the NY Times suggests it looks like the work of Russia. And in Russia’s case, this may be more of a personal retaliation than an attempt to gain any real advantage:
The F.B.I. on Tuesday confirmed that the hack was the work of a state, but it also would not say which one. Matt Gorham, assistant director of the F.B.I. Cyber Division, said, “The F.B.I. is investigating the incident and preliminary indications show an actor with a high level of sophistication consistent with a nation-state.”
The hack raises the possibility that Russian intelligence agencies saw an advantage in mounting the attack while American attention — including FireEye’s — was focused on securing the presidential election system…
The attack on FireEye could be a retaliation of sorts. The company’s investigators have repeatedly called out units of the Russian military intelligence — the G.R.U., the S.V.R. and the F.S.B., the successor agency to the Soviet-era K.G.B. — for high-profile hacks on the power grid in Ukraine and on American municipalities. They were also the first to call out the Russian hackers behind an attack that successfully dismantled the industrial safety locks at a Saudi petrochemical plant, the very last step before triggering an explosion.
“The Russians believe in revenge,” said James A. Lewis, a cybersecurity expert at the Center for Strategic and International Studies in Washington. “Suddenly, FireEye’s customers are vulnerable.”
This makes a certain sense. FireEye has effectively interfered with some previous Russian hacks and this is their way of showing who is boss, i.e. if we wanted to we could take your own tools right out of your digital vault. And they did which I guess gives them a certain amount of bragging rights. And really what’s the point of having an authoritarian state if you can’t brag about your own power?
Officially the Russians have denied any involvement, but that’s just what they always do when they are accused of doing something illegal. Their denials can usually be ignored.