FireEye says hackers stole its red-team tools, suggests state-sponsored group is to blame

Microsoft and the FBI are also investigating the breach of one of the most influential security firms in the world.
Kevin Mandia FireEye, Mandiant
Mandiant CEO Kevin Mandia speaks May 31, 2018, at the Cyber Threat Intelligence Forum presented by FireEye and produced by CyberScoop and FedScoop. (Scoop News Group)

FireEye, one of the most influential cybersecurity companies in the world, on Tuesday revealed that it had been breached by a suspected state-sponsored hacking group.

FireEye CEO Kevin Mandia said that the FBI and security experts at Microsoft were helping investigate the incident, in which attackers accessed the tools FireEye uses to simulate attacks against clients. “Their initial analysis supports our conclusion that this was the work of a highly sophisticated state-sponsored attacker utilizing novel techniques,” Mandia said in a blog post.

Attackers stole so-called red team tools, which security firms use to imitate real-world hacks on behalf of their clients. Such red team tools from a respected firm like FireEye would provide malicious attackers with a kind of roadmap on how to subvert defenses, and breach victims.

The hackers who broke into FireEye’s network “primarily sought information related to certain government customers,” Mandia said.


The FireEye chief executive said his firm was taking the extraordinary step of developing “more than 300 countermeasures for our customers, and the community at large, to use in order to minimize the potential impact of the theft of these tools.”

FireEye did not identify a culprit in the breach. The company’s clients include Fortune 500 companies around the world. Any number of foreign intelligence services could find value in having access to FireEye’s security tools to probe target organizations in the public and private sectors.

“The FBI is investigating the incident and preliminary indications show an actor with a high level of sophistication consistent with a nation-state,” Matt Gorham, assistant director of the FBI Cyber Division, said in a statement. It is a rare case of the FBI commenting on an ongoing investigation.

The company is known for attributing attacks from suspected Russian, Chinese and North Korean hackers, among other groups. The firm is often called in to investigate high profile data breaches, like the 2014 breach against Sony Pictures.

The breach is reminiscent, in part, of the theft of hacking tools from the National Security Agency, which a mysterious group called the Shadow Brokers began leaking in 2016. Those tools were subsequently used in high-profile cyberattacks, such as the WannaCry ransomware attack.


Dmitri Alperovitch, co-founder and former CTO of cybersecurity company CrowdStrike, pointed out that major security firms are frequent targets of state-linked hackers.

The response from Capitol Hill was swift.

Rep. Adam Schiff, D-Calif., chairman of the House Intelligence Committee, said he had asked intelligence agencies to brief his panel on the FireEye hack, including “any vulnerabilities that may arise from it and actions to mitigate the impacts.”

Sen. Mark Warner, D-Va., vice chairman of the Senate Intelligence Committee, said the incident “shows the difficulty of stopping determined nation-state hackers.”


“As we have with critical infrastructure, we have to rethink the kind of cyber assistance the government provides to American companies in key sectors on which we all rely,” Warner added.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts