back to article Cybersecurity giant FireEye says it was hacked by govt-backed spies who stole its crown-jewels hacking tools

Cybersecurity corp FireEye has confessed its most secure servers have been compromised, almost certainly by state-backed hackers who then made away with its proprietary hacking tools. “Recently, we were attacked by a highly sophisticated threat actor, one whose discipline, operational security, and techniques lead us to …

  1. Sleep deprived
    Thumb Down

    If you seek authoritative advice

    Hire those hackers, not their poor victim (unless you only fear to be hacked by less capable pirates).

    1. sabroni Silver badge
      Thumb Up

      Re: Hire those hackers

      Yeah, I'm sure they'd become instantly trustworthy once they were inside your firewall.

    2. This post has been deleted by its author

  2. Anonymous Coward
    Anonymous Coward

    Quis custodiet ipsos custodes?

    "But who shall guard the guards?"

    1. Danny 14

      Re: Quis custodiet ipsos custodes?

      You are your own guard. The burglars just pilfered some more tools though.

  3. amanfromMars 1 Silver badge

    All is not Lost .... for Hope Springs Eternal and Be an Infernal Foe to Cross ‽ .

    No nation state was named by FireEye though Russian involvement is suspected by the usual anonymous sources. ....... Kieren McCarthy in San Francisco

    Given the amount of shit that home governments are trying to bury as key players fleece treasuries and load the usual useful minions with decades of deficit spending and centuries of insurmountable debt which can never ever be paid back, other sources would more reasonably suspect Five Eyes allied nationals, terrified for their safety and lives.

    What say you? After all, you can only find millions of billions from nowhere and down the back of sofas to pay for unexpected disruptive global and pandemic events for just so long before everyone starts to realise the fake magic and sheer utter madness of mass deception and everything starts to suddenly collapse and key players also start suddenly trying to disappear away from the scene of their crimes, or are suddenly disappeared away. It is only natural ..... and fully to be expected.

    It is though, not as if y'all haven't been formerly earlier well warned, so what does that tell you of yourself and the intelligence you are using to fill your brain and mind with what you are seeing and experiencing ..... apart from it being distinctly serially sub-prime and almightily primitive and easily led to wherever a fool would have you as a tool to toil.

    It is well enough that people of the nation do not understand our banking and monetary system, for if they did, I believe there would be a revolution before tomorrow morning. .... Henry Ford

    Let me issue and control a nation's money and I care not who writes the laws. ...... Mayer Amschel Rothschild

    I see in the near future a crisis approaching that unnerves me and causes me to tremble for the safety of my country... corporations have been enthroned and an era of corruption in high places will follow, and the money power of the country will endeavor to prolong its reign by working upon the prejudices of the people until all wealth is aggregated in a few hands and the Republic is destroyed. ......Abraham Lincoln

    And do you know the crazy thing? Despite all the evidence of the above which now surrounds and effectively drowns you, you would probably deny the existence of all of that and in so doing thus further prove the point about mass human intelligence .... being distinctly serially sub-prime and almightily primitive and easily led to wherever a fool would have you as a tool to toil .... as being perfectly valid and honestly true.

    However, using different intelligence renders abiding novel solutions to such a sticky ancient problem, and is something now freely widely available by virtue of these new fangled postmodern entangling internets internetworking.

  4. Potemkine! Silver badge

    Woops

    In one hand, it isn't that great for a cybersecurity company to be hacked.

    In the other hand, there are two types of companies, the ones which were hacked and the ones which didn't know they were hacked.

    Having more details on the attack and having tips on how to counter it would be useful. Being open and transparent is IMNSHO the best way to go in that case.

    1. Danny 14

      Re: Woops

      This isnt a normal company though. You pay this company to shore up your cyber defences.

      1. Jason 24

        Re: Woops

        I've often said that the value of a partner is not in how well they can manage day to day installs/maintenance, but in how well they respond when the shit hits the fan.

        It seems they've responded honestly and are working at breakneck speed to a) create new tools, b) analyse the attack to learn from it and complete A.

        A lesser company would go very quiet and attempt a cover up.

      2. DavCrav

        Re: Woops

        Yes, but you aren't going to stop state actors, realistically, if they really want your stuff. You can airgap it, of course, but that's a little difficult for tools that will be used to probe websites.

      3. Cynic_999

        Re: Woops

        "

        This isnt a normal company though. You pay this company to shore up your cyber defences.

        "

        Which is why the only way they can save their reputation is by claiming that the attack was extremely sophisticated and required state resources to carry out. The inference being that not even a security company can be expected to defend against such an overwhelming attack by such powerful agents.

        So even if the attack in fact came from a lone teenager using a laptop from their suburban bedroom, the company would pretty much have to *claim* that it was a state actor that was responsible in order to survive.

        1. amanfromMars 1 Silver badge

          Re: Woops @Cynic_999

          So even if the attack in fact came from a lone teenager using a laptop from their suburban bedroom, the company would pretty much have to *claim* that it was a state actor that was responsible in order to survive. .....Cynic_999

          :-) Would you be assured or terrified to know for a fact, Cynic_999, that there are stranger state actors than that on the payroll and highly active and interactive in and on the virtual fields of Great Games Play ‽ .

        2. Claptrap314 Silver badge

          Re: Woops

          Name checks out.

          Not that I wasn't thinking the EXACT same thing as I was reading this.

        3. DCFusor

          Re: Woops

          My own experience is that individuals, not state actors, are by far the most competent. Bunnie Huang (REd SD cards), Chris Domas (RE'd intel's rings and got to negative rings and undocumented instructions...). Search youtube for either. My own guys REing Microchip's internal debugger (which violated a BS intel patent so their own tools hid how it worked). And on and on. The thing state actors have is time and a guaranteed paycheck. Which might not be that helpful, since if they slip up and are detected before they succeed...they might lose the chance.

          Here in the US it turns out that one of our agencies has a program called UMBRAGE to get people to mis-identify their attacks as coming from some _other_ state actor. And it's not even a secret.

          Recent news here seems to show that those who've been shouting "Russia" the loudest were actually on the CCP payroll...including some in congress...

          As Bruce Schneier (and others) have said, attribution is _hard_. And there are a lot of reasons to attributed things incorrectly to support other agendas. Look, a squirrel!

          Many grains of salt are required in this business.

      4. John Brown (no body) Silver badge

        Re: Woops

        "This isnt a normal company though. You pay this company to shore up your cyber defences."

        So, the real lesson to be learned here is not just that you need to keep on top of security at all times, but you most certainly don't get complacent even if you have just had your defences shored up by one of the leading players.

    2. amanfromMars 1 Silver badge

      Re: Woops

      Having more details on the attack and having tips on how to counter it would be useful. Being open and transparent is IMNSHO the best way to go in that case. ..... Potemkine!

      Providing such can also have you vacationing in Belmarsh with Julian Assange, Potemkine!

  5. Jonathan Richards 1 Silver badge
    Unhappy

    Freely available hacking tools

    If I'm commissioning a penetration test, I don't want to be assured that the Red Team can win simply because they've got a whole bunch of lock-picks that nobody else has. I want to be assured that my defen[cs]es are sufficient to deter, repulse, or even just detect, the likely threats and attacks. There won't ever be an assurance that they'll be sufficient to repulse every attack, and the FireEye intrusion just demonstrates that truth. Most businesses don't need to worry about nation-state threat actors, while governments and IT manufacturers and cybernetic security operators clearly do.

    I think what I'm trying to say is "Why are super-secret penetration tools the Crown Jewels?" They would just enable FireEye to be a better burglar, not a better locksmith. And, yet again, I have to ask why the Crown Jewels are housed on an Internet-connected server? Clearly they have to be deployed on the Internet when they're being used, but in storage they should be in a locked box. I think I'm missing something about how security assurance works in the real world these days.

    1. Mike 125

      Re: Freely available hacking tools

      What you're missing is that states and big corporates with lawyers must be seen to be doing the right thing.

      So they all agree with the lawyers what that means in security terms: hire one of their own to do security- a big corporate with a bunch of lawyers. And that's it. That's all that matters.

      All the reactions we observe following an incident are dictated by legal. We never find out what actually happened in technical terms. We just get bullsh't. And the cover-all is: 'A completely secure system is impossible', they say.

      But if some poor guy in his bedroom discovers a z day which actually matters and which fixing could actually save someone's skin, and makes the mistake of blabbing about it, he gets locked up or must go on the run.

      So in other words, nothing changes. Great system.

      (Nothing against lawyers........ phew.... think I got away with it...)

      1. Mike 137 Silver badge

        "We never find out what actually happened in technical terms"

        Actually we do occasionally, as in the case of Equifax, and it's usually down to poor governance and mismanagement as much as to technical issues.

        It's quite rare for the day to day IT of even a security related business to match up to the standards the customer facing technical folks subscribe to. Famously, the DigiNotar certificate servers were on the same flat network as the office machines from which staff browsed the web, but they did thoroughly TEMPEST protect the server room. They were breached, obviously, via the network.

        It's also quite depressing to see the facts about every "sophisticated attack" since Noah - they've mostly turned out to be complete technical push-overs.

    2. sitta_europea

      Re: Freely available hacking tools

      "... Most businesses don't need to worry about nation-state threat actors ..."

      I beg to differ. Nation-state threat actors (in China) are hacking everybody they can, on the off-chance that they'll find something useful. Personal experience, at relatively insignificant clients in engineering industry.

      1. mmccul

        Re: Freely available hacking tools

        Nation state actors are not one skill level. I typically divide them into three teams (A, B, C) based on my experiences observing such. The C team was nothing more than script kiddies running straight from well traceable IPs. The B team was moderate sophistication, but still detectable, nothing a high end defensive tool couldn't detect and deal with as long as my team (I was on the security team that saw the alerts an tuned the tools) was on its game.

        Even targeting was distinct between them. C team was pure targets of opportunity, acting often like your normal Internet vandals in targets, distinguished by source IP and a couple other details. The B team engaged in moderate targeting, picking an choosing.

        Yes, this is a simplification, but a useful one.

        1. amanfromMars 1 Silver badge

          Re: Freely available hacking tools

          Nation state actors are not one skill level. I typically divide them into three teams (A, B, C) based on my experiences observing such. The C team was nothing more than script kiddies running straight from well traceable IPs. The B team was moderate sophistication, but still detectable, nothing a high end defensive tool couldn't detect and deal with as long as my team (I was on the security team that saw the alerts an tuned the tools) was on its game....... mmccul

          And the very best in those AAA teams, mmccul? Can one do any better than pay them their worthy Danegeld to ensure and be assured that you be insured against their taking any irrevocable, directly unattributable, catastrophically destructive and extremely disruptive, Remote Stealthy ACTion/Advanced Cyber Threat activity against oneself and those wider interests which feed and maintain one's lifestyle and which also generate, sustain and retain one's interests? Or does such a friend/foe not actually exist?

          One is wise to take note, as has been alluded to by at least two commentards on this string, and as is also shared by Conrad Prince and James Sullivan in the Royal United Services Institute for Defence and Security Studies Briefing Paper, The UK Cyber Strategy/Challenges for the Next Phase ......

          The capabilities of some state actors are likely to be beyond the scope of normal private sector security protections to address.

          ........ and that itself is best recognised as a monumental understatement of titanic proportion.

          And failures in positive engagement and extensive and expensive endowment to such Stealthy AAA State ACTivity are a real and present danger and abiding existential threat to the pleasant contiguous workings of current fiat capital and intellectual property flow markets, and as such are something to be fully prepared for if one is guilty of such a crime and failing.

          And although that all might sound quite draconian, it does not necessarily have to be, for you have been left a great choice.

    3. muuser

      Re: Freely available hacking tools

      So their Crown Jewels were not air gapped.

      I mean, their business is new security threats and how to mitigate them. They know everyone is vulnerable, including them.

      If they have created 300 countermeasures, then how long have they known of the "hack".

      Boeing's planes crashed, Challenger burnt, Intel can't make the next generation of chips, because as the man said "For a successful technology, reality must take precedence over public relations, for Nature cannot be fooled."

      Well, we have plenty of public relations from FireEye going on now. Will we ever discover the hacking method? Cat5 cable poked through a mouse hole into their citadel, someone picked up a USB stick in the car park & had a look, a lucky guess of "user, password".

    4. Cynic_999

      Re: Freely available hacking tools

      State actors don't *need* to use sophisticated computer hacks to get company-confidential data. They just find a suitably vulnerable employee who has access to the data, and then use bribery and/or blackmail.

  6. Bitsminer Silver badge

    Sales pitches

    "We were so valuable that we got hacked."

    "We now have a better understanding of our customer's perspectives."

    "We weren't the first (Cf Kaspersky) and we won't be the last."

    "Life is like a box of chocolates. You never know what you're going to get."

    "We take security seriously."

    1. John Brown (no body) Silver badge

      Re: Sales pitches

      You forgot "$reason is our number one priority"

  7. Retiredwatcher

    As I was always taught

    "Security is a philosophy not a solution"

    Do you know the cleaners in the building that visit every night and work up from there.

    1. Danny 14

      My mum was a cleaner at a nuclear lab in warri gton about 30 years ago. She had all sorts of clearance checks. I was in the forces at the time and needed to consent to a background check.

      If you pay less than peanuts then im sure you could get vetted staff.

  8. Grease Monkey Silver badge

    Can't see them getting any new customers for a while and I expect some of there existing customers will be leaving as soon as is practically possible. All of which is perfectly understandable. Would you want to be protected by a company who had their "most secure servers" hacked?

    It matters not how much they protest that the attack was sophisticated and unusual you can't go round claiming to be the best in your field and then get pwned and not pay the consequences.

    All things considered I think their share price is doing very well indeed.

  9. Primus Secundus Tertius Silver badge

    Beancounteritis

    These things tend to happen when the techies who founded the company are replaced by the accountants.

    The oil industry saw a similar disaster with BP.

    1. Robert D Bank

      Re: Beancounteritis

      I think it's beancounteterrorists

  10. seven of five

    Good news. It was "us"

    As there is no RUSSIA, IRAN! CHINA!1! shouting, it must have been one of the five eyes.

    1. Anonymous Coward
      Anonymous Coward

      Re: Good news. It was "us"

      It will be an ex-member of staff, they are just too frightened to admit it.

  11. Missing Semicolon Silver badge
    Happy

    Dump the tools on GitHub

    Then we can all test our networks!

    1. Sceptic Tank Silver badge
      Windows

      Re: Dump the tools on GitHub

      They're useing novel netware.

  12. sitta_europea

    I don't understand why anyone is worried about what the intruders might have stolen.

    Surely we should be more worried about how they stole it?

    1. Peter 26

      Yes, you'd expect a more detailed response from a company like this. Clearly they have decided to hide that information, why? Is it embarrassing?

      I am highly suspicious of claims of state sponsored actors being the culprits. It's the ideal excuse. Only the best of the best could beat us we are so great...

      Where's your evidence that it was a state sponsored actor? Hmm you've decided not to provide that information, why?

      My spidey sense is tingling.

  13. MarkET

    FireEye - fired...

    OK, fair cop, fess up. I'll send the PuTTY scripts back...

  14. Anonymous Coward
    Anonymous Coward

    Bringing in the latest trendy cyber sec firm is no substitute for knowing things about your own asset inventory and network. But, no, must concentrate on developing core capabilities and outsourcing other stuff... Goddammit, Infosec in an information driven business IS a core activity.

    One day they'll learn. AC because reasons.

  15. reGOTCHA
    Boffin

    Super h4x0r leet state sponsored actor - probably not, but they would never admit it

    "They used a novel combination of techniques not witnessed by us or our partners in the past."

    You're telling me that - in a world where stuxnet is just the tip of the tail of the hidden cat - you have never seen anything like this before?

    Did someone implanted a satellite sting that uses custom protocols on inaccessible frequencies, burnt a bunch of 0 days for access/escalation, used thermal/seismic/wind techniques to bridge air gapped networks and finally extracted everything using a custom morse code with an invisible laser?

    And all of that to steal red team tools and customer contracts and metadata from an infosec vendor that is no different than many others?

    I'm sure they did. Might as well convince me it was aliens.

  16. Anonymous Coward
    Anonymous Coward

    The premise seems COMPLETELY wrong......

    ......namely that "security" is a commodity purchased from consultants.

    *

    ......but what do I know?

    1. reGOTCHA

      Re: The premise seems COMPLETELY wrong......

      Maybe for Fireeye it is, the hacked consultants hired Microsoft consultants to help sort out the mess. Such is the scale of the mess or the state of morale, or both.

  17. Candy

    Seems like a mture and well-planned response to me.

    OK, so FireEye got compromised.

    The open disclosure and public release of countermeasures speaks to a mature, planned response. They knew the Red Team tools they had developed were a high value asset and could be targeted. That they have come forwards reasonably quickly and released the countermeasures to their toolset as open source speaks well to their approach and preparedness.

    Digital security is a process, not a bounded task. They seem to have clearly assumed breach and had a response ready for the eventuality. This should be a call to us all to put our houses in similar order. I imagine the learnings internally will be considerable and valuable for them. Not suggesting for a moment that this isn't a significant hit but it literally can and does happen to anyone.

    To those taking to the schadenfreude pulpit and seeking only to mock, I ask: What would you have done differently?

    (PS I have no skin in this particular game...)

    1. renke

      Re: Seems like a mture and well-planned response to me.

      > The open disclosure and public release of countermeasures speaks to a mature, planned response.

      not wrong - but I think it's funny and a little bit dishonest that the blog post follows the shit sandwich structure

      "

      FireEye is on the front lines defending companies and critical infrastructure globally from cyber threats.

      [higly embarrassing stuff]

      We’re confident in the efficacy of our products and the processes we use to refine them.

      "

  18. StrangerHereMyself Bronze badge

    Shutting down?

    So I assume they're shutting down sometime soon? Being a security company and getting hacked isn't really good for business I can imagine.

  19. BleedinObvious

    Plausible deniability

    Smells like a PR exercise for future clandestine use of its tools.

    If it's an above-board target, then its law enforcement using a full licenced copy.

    If it's an inappropriate target - oh its not us we're lovely, it must be those criminals that stole our software, did we mention the baddies got our software, here's the FBI press release.

  20. amanfromMars 1 Silver badge

    The Sprinkle IT with Glitter Option whenever Polishing a Turd Delivers No Reassuring Solution

    “We have learned and continue to learn more about our adversaries as a result of this attack, and the greater security community will emerge from this incident better protected. We will never be deterred from doing what is right.” ...... Kevin Mandia, CEO FireEye

    The greater security community better protected maybe, but a significantly greater customer base more widely compromised and definitely vulnerable to use and misuse and abuse of the tools discovered and pilfered, surely?

  21. Claptrap314 Silver badge

    Rebuilding trust

    Their only route to credibility is to have someone on the outside vouch for the detailed public postmortem. The FBI agreeing that this was a state actor helps. The lack of a commitment to producing a postmortem certainly does not.

    To those who say that this looks like they have a prepared response for this (unavoidable) eventuality, I say this, "Yes, it looks like they had their press releases prepared." What I want is the postmortem.

  22. fredesmite2

    Thats just too funny

    The predator becomes the prey

  23. JavaJester
    FAIL

    Exhibit "A" - Why you don't weaken security for Law Enforcement (or anyone else)

    Only naive fools assume that a "secret" master key, global "friend", deliberately introduced vulnerability, or other such technical measure for LE use remains in the hands of the "good guys". Once you make the assumption that any such backdoors will be discovered by an adversary, the only conclusion is good security without exceptions.

  24. Anonymous Coward
    Anonymous Coward

    top-tier offensive capabilities

    "The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past.”

    ============================

    To: Kevin.Mandia@FireEye.com

    From: UPS_Delivery@yandex.ru

    Your package was not deliverable. Please check the attached tracking document.

    *UPS-Tracking.docx*

    (P.S. You may need to enable macros to view)

  25. Not_Important
    Pirate

    There is as yet, insufficient data for a meaningful answer..

    It is clearly every security practitioner's nightmare to get hacked, yet since humans are involved it is bound to happen. A few observations which do not make a lot of sense or are just BS:

    1. Every reported compromise I have ever seen has stated "These guys were the best!".. Once the specific details are reported it is something as simple as, "Joe used a default password for everything, including a super secret generic account, and clicked on the wrong e-mail". Joe was also are #1 admin.

    2. They stole our L33T toolset.. "Using methods we have never seen before and cannot fathom". Well, assuming you were eating your own dog food and red teaming yourself (guessing you were not); the toolset may not have been all that great OR these guys have WAY better tools.. Perhaps you could help us out and describe those tools in greater detail?

    3. Fire-eye projects confidence nothing else was compromised, despite the use of tools which counter security tools and defy forensic examination. Does not seem to add up..

    In the past, Mandiant (Fire-Eye) has always provided excellent reporting post-breach with details on what happened and recommendations for preventing breaches in the future. Anything less than a full accounting without spin would likely confirm someone made a mistake and this was not as hard as it is being made out to be.

    1. amanfromMars 1 Silver badge

      Re: There is as yet, insufficient data for a meaningful answer..

      In the past, Mandiant (Fire-Eye) has always provided excellent reporting post-breach with details on what happened and recommendations for preventing breaches in the future. Anything less than a full accounting without spin would likely confirm someone made a mistake and this was not as hard as it is being made out to be. ..... Not_Important

      Not_Important,

      Invariably, for reasons which are pretty bleeding obvious, there is as yet, insufficient data for a meaningful answer is always the answer to deflect attention away from a major breach vector which has no known available, or even possible future solution.

  26. Anonymous Coward
    Anonymous Coward

    Standard stuff

    After you've played the security incident game for a while what you quickly come to realise is that the methods used are broadly the same, the only thing that makes the defence job hard is to spot the unique IOC for that particular time.

    The tools judging by the names of the detections in the published Yara rules are just more of the same old same old.

    It is also unlikely that Mandiant themselves have written these with static hashes, because that wouldn't be how the real heavy hitters roll. A decent attack toolset is configurable to create different hashes, different hooks, different C2 mechanisms etc.

    If not, then Mandiant's tooling is not as good as Cobalt Strike.

    PS I expect Mandiant to now offer to come and look for their tools on your network. For a fee of course. Wouldn't be the first dirty sales campaign from them.

  27. YetAnotherJoeBlow

    Pondering...

    I think that Fireeye was not the target. I would think the FBI would want to know which customer(s) data was exposed.

  28. Ken Moorhouse Silver badge

    Counter-Conspiracy Theory

    In spy stories there's always a double agent.

    Has nobody considered that FireEye may have planted the mother of all Trojan Horses/Honeypots?

    To have 7% wiped off the company's value makes it look convincing, but it depends who's pulling the strings.

    1. amanfromMars 1 Silver badge

      Re: Counter-Conspiracy Theory

      Has nobody considered that FireEye may have planted the mother of all Trojan Horses/Honeypots? .... Ken Moorhouse

      Would that make them liable for all losses and damages caused by the misuse and abuse of information/intelligence exfiltrated by others? With further liability added when shared with others who similarly abuse and misuse the intelligence and information?

      Can you get insurance that removes that risk and protects against unwarranted unauthorised misuse and proprietary intellectual property abuse?

      It's a hell of a risk and extensive expansive expense to not have covered and hedged and transferred to others.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like