Cybersecurity firm FireEye is usually the first call government agencies make if they’ve experienced an attack.  The company - who have served clients like Sony and Equifax – has been responsible for identifying those responsible from some of the world’s biggest security breaches. But it seems as though this time, FireEye were the subject of an attack themselves.

The cybersecurity firm announced on Tuesday that their systems were compromised in an attack by “a nation with top-tier offensive capabilities.” By using “novel techniques”, FireEye said the attackers were able to make off with its tool kit, which could initiate new attacks around the world.

FireEye – a $3.5 billion company – declined to say who was responsible for the attack. However, evidence is pointing to Russian intelligence agencies. FireEye’s description of the attack and the fact that the F.B.I. turned the case over to its Russia specialists leads to that suspicion. It was also said that the suspects were after “Red Team tools.”

These digital tools replicate some of the most sophisticated hacking tools in the world.  FireEye uses these tools, (which are kept in a closely guarded digital vault and only used with the permission of the client), to look for vulnerabilities in their systems.

Like FireEye, the F.B.I. did not confirm who initiated the attack against the security firm. Matt Gorham, assistant director of the F.B.I. Cyber Division, said, “The F.B.I. is investigating the incident and preliminary indications show an actor with a high level of sophistication consistent with the nation-state.”

It’s quite possible that Russian intelligence agencies took advantage of the American presidential election to mount their attack.  While American agencies were focused on keeping the election secure, Russian agencies, who were involved in 2016 election breaches, planned their attack.

This hack was the largest known theft of cybersecurity tools since the 2016 attack on the National Security Agency by an unidentified group known as the “ShadowBrokers”.  The ShadowBrokers group exposed the N.S.A.’s hacking tools online, giving hackers the “keys to the digital kingdom” as a former N.S.A. agent states.  North Korea and Russia both used these tools to conduct attacks on government agencies, hospitals, and giant corporations, costing over $10 billion.

The N.S.A.’s stolen tools were likely more useful than FireEye’s, as the government agencies tools are purpose-made digital weapons. FireEye’s Red Team tools are those that are built from malware that the company has seen used in a variety of attacks.

The advantage of using these stolen digital weapons is that nation-states can hide their tracks after an attack.

Principal security researcher at Jamf, and former N.S.A. hacker Patrick Wardle says “Hackers could leverage FireEye’s tools to hack risky, high-profile targets with plausible deniability. In risky environments, you don’t want to burn your best tools, so this gives advanced adversaries a way to use someone else’s tools without burning their best capabilities.”

FireEye’s investigators worked with Sony after a 2014 attack that was ultimately attributed to North Korea. In 2015, FireEye was called in by the State Department and other American government agencies to investigate attacks by Russian hackers. They were also called in to investigate after an attack that targeted Equifax three years ago affected nearly half of the American population. Despite their impressive resume, this breach could ultimately be a blemish on FireEye’s reputation.

In the recent FireEye attack, the attackers created thousands of IP addresses, many of which were in the United States and had never been used in previous attacks. By using those never-before-used addresses, the hackers were able to better hide their whereabouts.

FireEye is still investigating just exactly how the hackers breached their systems. Kevin Mandia, FireEye’s chief executive said, “This attack is different from the tens of thousands of incidents we have responded to throughout the years.” The former Air Force intelligence officer continued by stating that the attackers “tailored their world-class capabilities specifically to target and attack FireEye.” While trying to avoid detection, Mandia said they were highly trained in “operational security” and exhibited “discipline and focus”. Other large companies who conduct cybersecurity investigations such as Google and Microsoft mentioned that they had never seen some of these techniques.

FireEye has published key elements of their “Red Team” tools, so that others around the world would be able to see potential future attacks coming.

Just days before the attack on FireEye, the N.S.A. said Russia was behind another sophisticated attack that infiltrates a type of software called VM, for virtual machines, that is commonly used by defense companies and manufacturers. The targets of the attack were not made public, and it is unclear if Russian hackers used their success in the VM attack to breach FireEye’s systems.

It is also possible that the FireEye attack could be retaliation.  FireEye has continually called out Russian military intelligence – the G.R.U., the S.V.R. and the F.S.B. – for conducting high-profile attacks on the Ukrainian power grid and American municipalities. FireEye also blamed Russian hackers for dismantling industrial safety locks and a Saudi petrochemical plant that triggered an explosion.

James A. Lewis, cybersecurity expert at the Center for Strategic and International Studies in Washington said, “The Russians believe in revenge. Suddenly, FireEye’s customers are vulnerable.”

Russia’s National Association for International Information Security held a forum at the beginning of December with security experts from around the world. At the forum, Russian officials claimed that there was no evidence that Russian hackers were responsible for any attacks that have prompted American sanctions and indictments.

Security firms have always been a frequent target for hackers. Their tools allow threat actors to gain access to source codes and tools of corporate and government clients across the globe.

 Story via The New York Times