FireEye, a well-known cybersecurity company, said it was the victim of a cyber attack, and that the attack was so severe and sophisticated that only “a nation with first-tier offensive capabilities” could have put it into practice. Hackers have stolen some computer programs used by FireEye to test the defenses of its customers, which simulate the most used hacker attack tools and therefore could be used for new attacks.
It is not yet clear who is behind the attack but according to the New York Times, which has heard several experts, many clues suggest that it could have been Russia. Among these clues is the fact that the FBI has opened an investigation and entrusted the case to its Russian cyber attack specialists.
FireEye is a well-known company in the cybersecurity industry. Founded in 2004, it has two main activities: the first is to analyze the IT security systems of its customers, to verify their soundness; the second, and the most famous, is to investigate hacker attacks that have already occurred, to reveal the perpetrators and prevent them from happening again. Thanks to its experience in the field, FireEye has worked with many companies that over the years have been victims of very heavy hacker attacks, such as Sony, Equifax, Deloitte, Target. In many cases, FireEye has played a role in revealing the identity and provenance of the hackers.
– Read also: The 17 year old who hacked Twitter
The company has also covered many cases of hacker attacks of great international importance, publishing research and investigations on the most dangerous and important cyber espionage groups, such as APT28, also known as Fancy Bear, a group of hackers who, according to researchers , is linked to Russian intelligence and is behind many known and destructive attacks, including those that occurred in the United States during the 2016 election campaign against the Democratic Party and Hillary Clinton.
For this, the New York Times wrote, the hacker attack on FireEye can be compared to a robbery against the FBI: the criminals hit the investigators. The hackers, according to the company, have stolen the tools of the “Red Team”, ie computer programs that replicate and simulate the most sophisticated hacker programs in the world. These tools are used by FireEye to test the strength of its customers' defenses, but even if they are simply copies of known hacking programs they can be used to conduct new attacks. First of all, because the FireEye collection is quite complete: assuming that the attack is the work of Russian hackers, it may be useful for them to take possession of tools used for example by North Korean hackers. Secondly, because using a stolen hacker tool is a great way to lose track. In fact, companies like FireEye often recognize attackers by its technical characteristics. But if hackers use a tool that was stolen and created by others, it becomes more difficult to locate them.
The danger of stolen hacker tools was seen in 2016, when the American National Security Agency (NSA) was the victim of a cyber attack by a still unidentified group called ShadowBrokers, which stole the entire arsenal of hacking tools. of the most sophisticated government agency in the world, and spread it on the internet. Everyone knew that those tools were available, but partly because they were very powerful and partly because it is difficult to organize large-scale cyber defenses, they were eventually used by Russian and North Korean hackers to target government agencies, companies and hospitals: it is estimated that in the United States they caused damages of 10 billion dollars. The tools stolen from FireEye may not be as sophisticated as those stolen from the NSA, but they could still create serious problems.
– Read also: The latest on hacking team attack
FireEye stored its “Red Team” tools with great care. But according to the company, this hacker attack was exceptionally sophisticated, “different from the tens of thousands we have faced over the years,” wrote Kevin Mandia, the company's chief executive, in an official communication. According to Mandia, hackers have “adapted their world-class capabilities specifically to attack FireEye”, and used “a new combination of techniques never before seen by either us or our partners.” Mandia wrote, however, that among the stolen tools there is none that exploits “zero-day vulnerabilities”, that is, still unknown vulnerabilities, very fearful because no one has had the time (“zero-day”, in fact) to find countermeasures. He added that the company had prepared prevention and safety systems in case of theft of its instruments, which should at least partially cushion the consequences of the attack.
There is no evidence, as yet, that the hackers stole potentially valuable customer data, and according to the American media, clues like this suggest that another possible reason for the attack on FireEye could be revenge. As we said, the company has played an important role in identifying the perpetrators of many famous hacker attacks, and has publicized its research a lot, especially against Russian government-sponsored groups. It is possible, writes the New York Times, that these groups have decided to attack FireEye to harm it more than to take advantage of it.
