FireEye Drops After Cybersecurity Company Says It Was Hacked

FireEye Inc., a prominent U.S. cybersecurity company, acknowledged that it had been breached, probably by hackers from a foreign adversary. The attackers made off with sensitive tools that FireEye uses to find vulnerabilities in clients’ computer networks.

The attackers were a “nation with top-tier offensive capabilities,” said Chief Executive Officer Kevin Mandia. He didn’t identify the country suspected in the attack, but a person familiar with the incident said investigators believe hackers closely aligned with the Russian government were behind it.

The hackers “tailored their world-class capabilities specifically to target and attack FireEye,” Mandia said in a company blog on Tuesday. “They are highly trained in operational security and executed with discipline and focus.”

By Wednesday morning, FireEye’s shares had fallen as much as 14% in extended trading after closing at $15.52 in New York.

It was the latest setback for a company whose stock peaked in 2014 at more than $80 following the initial public offering the year before. For the past four years, FireEye shares have been stuck at about $15, spurring recurrent reports about an acquisition.

The motive for the attack wasn’t clear, and it wasn’t certain that the hackers intended to swipe what are known as “red team tools” in the security community. Mandia said the attackers “sought information related to certain government customers.” However, while the hackers accessed “some of our internal systems,” they didn’t appear to steal customer data, he said.

Red team tools mimic the behavior of hackers and enable FireEye to provide “diagnostic security services” to customers, Mandia said. So far, the company hadn’t seen evidence that anyone had used the tools in an attack. Dmitri Alperovitch, the co-founder and former chief technology officer of Crowdstrike, a FireEye competitor, said red team tools are built to bypass customer networks and can sometimes be more sophisticated that the ones used by hackers. “You get paid to succeed breaking in,” he said.

That could make them potentially valuable for hackers seeking to infiltrate computer networks.

But Alperovitch said the tools may not have been the only target. FireEye’s customers include nation-states, large tech companies, energy conglomerates and defense firms. The FireEye breach could expose the intelligence company’s clients to a similar fate -- an adversary’s infiltration, or possibly the sale of their secret data, said Alperovitch.

FireEye, based in Milpitas, California, was founded in 2004 and now has 9,600 customers in 103 countries. It also protects more than 1,000 government and law enforcement agencies, according to its website. FireEye, with more than 3,000 employees and $889 million in revenue last year, is one of the relatively few cybersecurity firms with enough threat intelligence and expertise to routinely and reliably attribute attacks to high-profile hackers, including the governments of Russia, China, Iran and North Korea.

The hack was discovered in recent weeks by FireEye when it found a suspicious login that had surpassed the two-factor authentication requirement on their virtual private network, according to the company. The attackers carried out the hack from two dozen IP addresses based in the U.S., none of which has been detected as part of a cyber-attack before -- the type of sophisticated tactics that led FireEye to believe a foreign intelligence service was behind the incident.

FireEye is investigating the attack with the FBI and Microsoft Corp. The company is also publishing information that can help neutralize the tools that were stolen.

Matt Gorham, assistant director of FBI’s Cyber Division, said preliminary indications “show an actor with a high level of sophistication consistent with a nation state.”

The case has similarities to a breach of the National Security Agency, when hackers stole U.S. cyberweapons and a mysterious group known as the “Shadow Brokers” published them online starting in 2016.

But other cybersecurity firms have been hacked too.

In 2011, RSA offered to replace its then popular SecurID tokens after it revealed that its network was breached. The company also acknowledged that data stolen by the hackers was used in an attempted cyber-attack at RSA customer Lockheed Martin Corp.

In 2013, a security company called Bit9 disclosed that cyber-attackers had gained access to a digital code-signing certificate used to identify authentic software, and co-opted it to authorize malware they placed on Bit9 customer networks.

The attack was a clever way of circumventing the protections of Bit9’s security technologies, effectively “white-listing” the malware so it wouldn’t be blocked. Bit9 said three of its customers were affected by the attack, which it believed was part of a larger campaign “to infiltrate select U.S. organizations in a very narrow market space.”

In 2015, Juniper Networks Inc. revealed a complex set of breaches that included hackers inserting a secret administrative password into the source code of its popular line of NetScreen security products, which were used around the world by banks and government agencies to protect some of their highest-security networks.

©2020 Bloomberg L.P.

BQ Install

Bloomberg Quint

Add BloombergQuint App to Home screen.