Criminals steal hacking tools from security firm FireEye

FireEye's CEO says no valuable data was stolen, but there are unanswered questions about the purpose behind the attack

US cyber security firm FireEye has fallen victim to a cyber attack, possibly from a state-sponsored threat group, which led to the theft of some of the company's internal hacking tools.

In a blog post, FireEye CEO Kevin Mandia revealed that the FireEye's team used the stolen tools to privately test customers' cyber defences. These tools imitate the behaviour and actions of various cyber threat groups, and enable FireEye to provide diagnostic security services to customers.

None of the stolen tools contained zero-day exploits, according to Mandia.

Mandia did not say when the incident occurred, or which nation or group could be behind the attack. He simply said that the attack was conducted by a "highly sophisticated threat actor" whose discipline, techniques and offensive capabilities suggest that it was most likely a nation-state operation.

The hackers used "a novel combination of techniques" that has - apparently - never been seen before. It appears that the attackers were skilled in operational security and tailored their tools to specifically target FireEye.

The cyber actors executed the attack with "discipline and focus". They operated covertly and used advanced tools capable of countering forensic examination.

The post-breach investigation indicated that the hackers were likely interested in the data of some FireEye customers, specifically government agencies.

The company said it is taking all necessary steps to strengthen the security of its customers and is being helped by the FBI and Microsoft.

There is no evidence to suggest that hackers have started using FireEye's tools to hack other organisations, the company said.

"We are not sure if the attacker intends to use our Red Team tools or to publicly disclose them," Mandia wrote.

"The incident seems to be quite mysterious and obscure," said Ilia Kolochenko at ImmuniWeb.

"On one side, FireEye readily talks about a 'highly sophisticated state-sponsored adversary', [and] on the other, says that 'no zero-days' or otherwise highly valuable data was stolen. Why would a nation-state APT ever bother to expose their own zero-days and advanced hacking techniques to get a collection of semi-public Red Teaming tools? "

"A wide spectrum of vital questions likewise remains unanswered: when did this incident happen, which systems are impacted, what are the chances that clients' data was compromised? We cannot exclude a probability that this specific incident was merely a smokescreen aimed to distract FireEye from a more important attack targeting clients' data or ultra-confidential private research. More transparency is expected from FireEye to dispel the doubts and bring clarity."