The cybersecurity firm FireEye said it had been hacked and that the attackers stole tools the company uses to test the defenses of its customers’ computer networks to find potential vulnerabilities. The company’s shares fell as much as 9.8% on the news.
The attackers were a “nation with top-tier offensive capabilities,” said CEO Kevin Mandia. He didn’t identify the country suspected to be behind the attack, but a person familiar with the incident said investigators believe hackers closely aligned with the Russian government were behind it.
The hackers “tailored their world-class capabilities specifically to target and attack FireEye,” Mandia said in a company blog on Tuesday. “They are highly trained in operational security and executed with discipline and focus.”
The tools taken, known as “red team tools” in the security community, mimic the behavior of hackers and enable FireEye to provide “diagnostic security services” to customers, Mandia said. He said the company had so far seen no evidence that anyone had used the tools in a cyber-attack.
The company’s shares dropped to as low as $14.00 in extended trading after closing at $15.52 in New York. The stock has declined 6.1% this year.
FireEye, based in Milpitas, California, was founded in 2004 and is highly regarded in the cybersecurity community. It is considered one of the companies with enough threat intelligence and expertise to routinely and reliably attribute attacks to high-profile hackers, including the governments of Russia, China, Iran and North Korea.
“The FireEye breach is an extraordinarily significant attack because of the nature of the target,” said Mike Chapple, teaching professor of IT, analytics and operations at the University of Notre Dame’s Mendoza College of Business, in written remarks. “As one of the world’s go-to cybersecurity firms, FireEye has a ringside seat for some of the most sophisticated breaches carried out worldwide. From that vantage point, they’re able to amass one of the world’s most complete selection of cyberwarfare tools for use in their own defensive work.”
The hack was discovered in recent weeks by FireEye when it found a suspicious login that had surpassed the two-factor authentication requirement on their virtual private network, according to the company. The attackers carried out the hack from two dozen IP addresses based in the U.S., none of which have been detected as part of a cyber-attack before — the type of sophisticated tactics that led FireEye to believe a foreign intelligence service was behind the incident.
“Consistent with a nation-state cyber-espionage effort, the attacker primarily sought information related to certain government customers,” Mandia wrote. He added that, while the hackers accessed “some of our internal systems,” they didn’t appear to steal customer data.
FireEye is investigating the attack with the FBI and Microsoft Corp. The company is also publishing information that can help neutralize the tools that were stolen.
Matt Gorham, assistant director of FBI’s Cyber Division, said preliminary indications “show an actor with a high level of sophistication consistent with a nation state.”
The case has similarities to a breach of the National Security Agency, when hackers stole U.S. cyberweapons and a mysterious group known as the “Shadow Brokers” published them online starting in 2016.
“This incident demonstrates why the security industry must work together to defend against and respond to threats posed by well-funded adversaries using novel and sophisticated attack techniques,” Microsoft said in a statement, which also commended FireEye for disclosing the breach.