The cybersecurity firm FireEye (FEYE) said Tuesday that it had come under cyberattack by “highly sophisticated” actors likely sponsored by a nation-state, in a rare and extremely serious instance of a mainstream security vendor being compromised. The hack could even give the perpetrators the means to launch attacks against other targets.
In an investor disclosure, FireEye said the attack was highly customized to target FireEye’s systems and is unlike any the company has responded to in the past.
“Based on his 25 years in cyber security and responding to incidents, Kevin Mandia, our Chief Executive Officer, concluded we are witnessing an attack by a nation with top-tier offensive capabilities,” the SEC filing said.
The attacker accessed “certain Red Team assessment tools that we use to test our customers’ security,” the disclosure continued, implying that many of FireEye’s clients, including its government customers, could be indirectly affected by the breach. “We are proactively releasing methods and means to detect the use of our stolen Red Team tools. We are not sure if the attacker intends to use our Red Team tools or to publicly disclose them. Nevertheless, out of an abundance of caution, we have developed more than 300 countermeasures for our customers, and the community at large, to use in order to minimize the potential impact of the theft of these tools.”
In a blog post, Mandia said FireEye is working with the FBI and other forensic partners, including Microsoft (MSFT). Matt Gorham, assistant director of the FBI’s Cyber Division, said in a statement that “preliminary indications show an actor with a high level of sophistication consistent with a nation state.”
Early evidence suggests that a Russia-linked actor was behind the operation, according to a person familiar with the matter.
Mandia said the attackers tried to access information “related to certain government customers,” but that the company has no evidence yet that customer information has been stolen.
None of the stolen cybersecurity tools contained so-called zero-day exploits, Mandia said. Zero-day vulnerabilities are software vulnerabilities that have never been publicly identified or patched, and can be extremely dangerous if weaponized by malicious actors.
The Cybersecurity and Infrastructure Security Agency, an arm of the Department of Homeland Security, said in a statement that it has been working with FireEye to determine the scope of the attack.
“As details are made available we are working to share and implement countermeasures across the federal networks and with our private sector partners,” a CISA spokesperson said.
FireEye is among the world’s preeminent cybersecurity firms, selling services designed to prevent, detect and respond to network security attacks. It also conducts extensive research on some of the most sophisticated hacking groups, known in the industry as advanced persistent threats.
Mike Chapple, a cybersecurity expert at the University of Notre Dame and a former National Security Agency official, called the FireEye breach “an extraordinarily significant attack.”
“As one of the world’s go-to cybersecurity firms, FireEye has a ringside seat for some of the most sophisticated breaches carried out worldwide,” Chapple said. “The impact of this breach remains to be seen and depends upon the motivation of the attackers. We might see them go public in an attempt to monetize their work by selling exploits. On the other hand, they might remain in the shadows, stealthily using their new tools to compromise high-value systems.”
Shares of FireEye fell more than 7% in after-hours trading Tuesday following the disclosure.
Geneva Sands, Alex Marquardt and Zachary Cohen contributed to this report.