FireEye, a global leader in incident response, threat intelligence, and cyber security consulting, said on Tuesday that it recently suffered a state-sponsored cyber attack that resulted in hackers getting their hands on a number of powerful hacking tools.
According to FireEye, hackers behind the sophisticated cyber attack used novel techniques to infiltrate its systems and tailored their world-class capabilities specifically to target and attack FireEye. By operating clandestinely, the attackers managed to surprise a leading cyber security vendor that advises thousands of major organisations on how to detect and mitigate sophisticated cyber attacks.
Kevin Mandia, the CEO of FireEye, wrote in a blog post yesterday that the way hackers used methods that countered security tools and forensic examination and deployed a combination of attack techniques to breach FireEye’s systems made him conclude that the attack was carried out or sponsored by a nation with top-tier offensive capabilities.
“This attack is different from the tens of thousands of incidents we have responded to throughout the years. The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus,” Mandia wrote, adding that Microsoft, the FBI, and other key partners share his view that this was the work of a highly sophisticated state-sponsored attacker utilizing novel techniques.
The cyber security company said that after gaining access to its systems, the hackers accessed ‘certain Red Team assessment tools’ that FireEye used to test the security of its clients’ IT systems. These advanced hacking tools mimic the behavior of many hacking groups and enabled FireEye to provide essential diagnostic security services to customers.
“We are not sure if the attacker intends to use our Red Team tools or to publicly disclose them. Nevertheless, out of an abundance of caution, we have developed more than 300 countermeasures for our customers, and the community at large, to use in order to minimize the potential impact of the theft of these tools,” Mandia added.
Aside from stealing various potent hacking tools, the attackers also showed interest in information related to FireEye’s government customers, who may or may not include a number of US government departments. The firm said that even though the hackers were able to access some of its internal systems, there is no evidence yet to suggest that they exfiltrated data from its primary systems that store customer information.
According to The Washington Post, it is highly likely that the cyber attack targeting FireEye’s systems was carried out by APT29, also known as “the Dukes” or “Cozy Bear”, a well-known state-sponsored Russian hacker group.
Also known as SVR, the hacker group is known for carrying out online espionage activities and stealing foreign government secrets and data that can be used by the Russian government to track the activities of rival nations and to form response plans.
Recently, the National Cyber Security Centre said that APT29 hackers were targeting organisations involved in coronavirus vaccine development with spear-phishing attacks and malware infections. In order to steal information related to coronavirus vaccine development, APT29 carried out spear-phishing attacks and also used custom malware known as ‘Sorefang’, ‘WellMess’, and ‘WellMail’ to target a number of organisations globally.
According to NCSC, APT29 almost certainly operates as part of Russian intelligence services and its primary mission is to carry out malicious campaigns against government, diplomatic, think-tank, healthcare, and energy targets to steal valuable intellectual property.