By Ellen Nakashima and Joseph Marks
Dec. 9, 2020
The Washington Post
The same Russian spies who penetrated the White House and State Department several years ago and have attempted to steal coronavirus vaccine research have carried off another brazen hack, this time breaking into the servers of one of the world’s premier cybersecurity firms, FireEye, according to people familiar with the matter.
The breach was disclosed by FireEye on Tuesday, though the firm did not attribute it to Russia’s foreign intelligence service. It was detected in recent weeks, said one of the people, who like others interviewed for this story spoke on the condition of anonymity because the investigation is ongoing.
FireEye CEO Kevin Mandia said the hackers stole sensitive hacking tools that the company uses to detect weaknesses in customers’ computer networks and that could be turned back against the same customers or others. He said they primarily went after information related to certain government customers.
“We are witnessing an attack by a nation with top-tier offensive capabilities,” Mandia said in a blog post. “The attackers tailored their world-class capabilities specifically to target and attack FireEye.”
The firm went public with the incident to ensure that its 9,600-plus customers around the world and the cybersecurity industry were aware and could take steps to ensure that they won’t be breached with the stolen tools. The tools are used by FireEye “Red Teams” to test a company’s cyber defenses.
The FBI is investigating the breach.
“Preliminary indications show an actor with a high level of sophistication consistent with a nation-state,” said Matt Gorham, assistant director of the bureau’s cyber division.
In 2015, hackers with the Russian SVR intelligence service compromised the servers of the Democratic National Committee. That group, known among private-sector security firms as APT29 or Cozy Bear, also hacked the State Department and the White House during the Obama administration.
The SVR, however, did not leak the hacked DNC material. Rather, U.S. officials have said, a rival Russian intelligence service, the military spy agency GRU, separately hacked the DNC and leaked its emails to the online anti-secrecy organization WikiLeaks in an operation that disrupted the 2016 presidential campaign.
The SVR, by contrast, hacks for traditional espionage purposes, stealing secrets that can be useful for the Kremlin to understand the plans and motives of politicians and policymakers. Its operators have filched industrial secrets, hacked foreign ministries and gone after coronavirus vaccine data.
At this point, Mandia said, although the hackers were able to access internal systems, the firm has seen no evidence that they removed data from primary systems that store customer information. The governments targeted did not necessarily include the United States, said a person familiar with the investigation.
The hackers “operated clandestinely, using methods that counter security tools and forensic examination,” Mandia said. “They used a novel combination of techniques not witnessed by us or our partners in the past.”
It was the equivalent, said one person familiar with the investigation, of a “sniper shot.”
The attackers made off with a significant number but not all of the firm’s tools, the person said.
Mandia said FireEye has seen no evidence that any hacker to date has used the tools. Nonetheless, he said, the firm has developed more than 300 countermeasures for its customers to help shield them from attack.
FireEye has skilled people developing its Red Team tools by building off techniques observed in incidents and publicly available capabilities. None of the tools used “zero days” or previously unknown exploits that help a hacker compromise a system. “These would be tools primarily we’ve seen used by attackers that we want to emulate,” the person said.
“Security companies are one of the top targets of nation-state operators and many have been successfully compromised over the years, including Kaspersky, RSA and Bit9,” said Dmitri Alperovitch, who co-founded a leading cyber firm, CrowdStrike, and who left CrowdStrike earlier this year to found the Silverado Policy Accelerator think tank.
“The primary goals of these operations are typically to get access to capabilities that would make it easier for them to hack companies all over the world,” he said. “It is impressive how transparent FireEye has been at disclosing the breach, the details of what happened and providing mitigations for their stolen ‘Red Team’ tools to help minimize the chance of others getting compromised as a result of this incident.”
The motive behind the breach is unclear. Besides obtaining hacking tools, a nation-state might also have wanted to learn what FireEye knows about its capabilities and adjust its techniques accordingly, or it could study the tools for weaknesses that can be exploited, said Gregory Touhill, president of AppGate Federal Group and former federal chief information security officer.
Mandia founded the cyber firm Mandiant, which was bought by FireEye in 2014. Mandiant made headlines with a 2013 report detailing the exploits of a prolific Chinese
military hacking unit that targeted victims around the world, including in the United States.
Microsoft is assisting FireEye with the investigation.