Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security

FireEye, a Top Cybersecurity Firm, Says It Was Hacked By a Nation-State (nytimes.com) 51

An anonymous reader quotes a report from The New York Times : For years, the cybersecurity firm FireEye has been the first call for government agencies and companies around the world who have been hacked by the most sophisticated attackers, or fear they might be. Now it looks like the hackers -- in this case, evidence points to Russia's intelligence agencies -- may be exacting their revenge. FireEye revealed on Tuesday that its own systems were pierced by what it called "a nation with top-tier offensive capabilities." The company said hackers used "novel techniques" to make off with its own tool kit, which could be useful in mounting new attacks around the world.

It was a stunning theft, akin to bank robbers who, having cleaned out local vaults, then turned around and stole the F.B.I.'s investigative tools. In fact, FireEye said on Tuesday, moments after the stock market closed, that it had called in the F.B.I. The $3.5 billion company, which partly makes a living by identifying the culprits in some of the world's boldest breaches -- its clients have included Sony and Equifax -- declined to say explicitly who was responsible. But its description, and the fact that the F.B.I. has turned the case over to its Russia specialists, left little doubt who the lead suspects were and that they were after what the company calls "Red Team tools." These are essentially digital tools that replicate the most sophisticated hacking tools in the world. FireEye uses the tools — with the permission of a client company or government agency -- to look for vulnerabilities in their systems. Most of the tools are based in a digital vault that FireEye closely guards.

The hack raises the possibility that Russian intelligence agencies saw an advantage in mounting the attack while American attention -- including FireEye's -- was focused on securing the presidential election system. At a moment that the nation's public and private intelligence systems were seeking out breaches of voter registration systems or voting machines, it may have a been a good time for those Russian agencies, which were involved in the 2016 election breaches, to turn their sights on other targets. The hack was the biggest known theft of cybersecurity tools since those of the National Security Agency were purloined in 2016 by a still-unidentified group that calls itself theShadowBrokers. [...] The N.S.A.'s tools were most likely more useful than FireEye's since the U.S. government builds purpose-made digital weapons. FireEye's Red Team tools are essentially built from malware that the company has seen used in a wide range of attacks. Still, the advantage of using stolen weapons is that nation-states can hide their own tracks when they launch attacks.

This discussion has been archived. No new comments can be posted.

FireEye, a Top Cybersecurity Firm, Says It Was Hacked By a Nation-State

Comments Filter:
  • by phantomfive ( 622387 ) on Tuesday December 08, 2020 @05:52PM (#60809482) Journal
    Can't keep their own stuff secure, so they blame a "nation state."
    • What in the world are you getting at? FireEye's biggest customers are Federal Government agencies. If a nation state was to finally find a weakness, it would be a public company like FireEye.
      • FireEye is a company (for a while they were run by the ex-ceo of McAfee) that is better at writing press releases than keeping things secure. They only list one hacking technique in the article:

        "the hackers went to extraordinary lengths to avoid being seen. They created several thousand internet protocol addresses — many inside the United States — that had never before been used in attacks. By using those addresses to stage their attack, it allowed the hackers to better conceal their whereabouts

    • It's more like an army that loses a battle. Does that mean they're a crappy army? Depends on how often it happens and against whom.

      The countervailing notion that computer security should be perfect because all you have to do is think of everything and never make a mistake is worthless. It might be true in some highly pedantic sense, if you take it to an absurd extreme.

      • The countervailing notion that computer security should be perfect because all you have to do is think of everything and never make a mistake is worthless.

        Computer security doesn't have to be perfect, but if you're a security company you better be on point. You can have security that is good enough that an attacker would have an easier time with physical attacks than with remote attacks.

      • You're absolutely correct, in the general sense.

        In the specific case of FireEye, they've been hacked in a major way AGAIN because their security sucks.

        FireEye employees some experts at some specific security topics. Their overall security as a company has been pretty bad.

        The last time they had a major hack and the company lost 30% of it's value, it's because their flashship product had a bunch of really, really newbie security mistakes. As in, clearly nobody who knew anything about application security had

        • by Bert64 ( 520050 ) <.moc.eeznerif.todhsals. .ta. .treb.> on Tuesday December 08, 2020 @10:28PM (#60810354) Homepage

          It happens in any company of significant size... They might have a handful of extremely competent people, but those people are expensive and concentrate on their specific areas. They may not even be aware of the security problems in the rest of the company, or they may simply be ignored when they raise such concerns.

          For everything else they will hire much cheaper people who will make the same errors as any other random company.

          • You're not wrong.

            Of course, some companies are a level 2 pretty much across the board. Level 2 a good target, to not go overboard with security or be sloppy. Heck, a few are level 4, but plenty of companies are level 2 with some areas of 3.

            FireEye, at about a 1, is worse than many companies - and they are a frickin SECURITY company.

            • What are these levels. The problem here is that RFC-3514 was not followed. You don't understand.

              • by raymorris ( 2726007 ) on Wednesday December 09, 2020 @02:03AM (#60810778) Journal

                CMMI is a popular framework for assessing the maturity of processes, especially in software development. You can get lots and lots of info via Google, but basically you look at each area and assess whether quality assurance comes from:

                Level 1 : Hire the right people, and they do things the right way (unless they are having a bad day). Sometimes people don't do things the right way.

                Level 2 : Each team establishes processes and procedures in response to problems. Quality isn't based entirely on luck. This level is very achievable.

                Level 3 : The broader organization has written policies and standards that are generally actually followed. They are proactive, to prevent bad outcomes that have happened to other organizations.

                Level 4 : They measure how well the standards and procedures work, and continuously adapt them to get better and better. Few organizations reach this level.

                Level 5 : Develops best practices used by others. Other organizations learn from this organization. For example, multiple books have been written about the Toyota process, because other companies want to do things as well as Toyota does. That makes Toyota a level 5.

                If you want to ask $300K per your signature, learning how to effectively apply CMMI in your field is a really good way to move that direction. It's the type of thing a good CIO does in a large organization. You can also apply it with your four-person Scrum team as the team grows to 8 people. With four people, you can have four great people. With eight people, you need the *team* to operate in a way that produces quality.

                OpenSAAM takes the CMMI idea and applies it to IT security.
                OpenSAAM uses four levels.

    • by Bert64 ( 520050 )

      It's an attempt to save face...
      Admitting they got owned by a 13yr old with metasploit would be far more damaging for business, so they blame the russians and claim they were "state sponsored" and "highly sophisticated". If it was truly done by such a highly sophisticated group it would be far more difficult to identify them.

    • Besides and code/utils/scripts, they probably nicked protocol deficiencies/holes and mangled packet and injection targets. The solution for all this is for the software vendor to fix their crappy software - by so called security companies reporting what they known and acquiring CSV medals of honor. Otherwise they are golddiggers/goldhats looking to auction/license zerodays to the highest bidder. Hackers know they are wrong. Security firms, in a position of trust - who sit on things are MORE morally bankrup
  • by ytene ( 4376651 ) on Tuesday December 08, 2020 @06:21PM (#60809556)
    I remember a few years ago when JPMorgan revealed that they had been hacked. At the time they claimed it was a nation state actor, too. In their case it turned out to be a relatively small group of cyber criminals.

    I got the impression from the JPMorgan incident that claiming a breach was the act of a “nation state” is actually a pre-emotive defensive measure to stave off a class-action shareholder lawsuit, which might be mounted with the grounds that a company was negligent in their security if they got pwned by a bunch of half-wit criminals.

    In the case of FireEye, the problem they face is potentially even more serious than it was for JPMorgan, given that they are a specialist security company themselves. Getting hacked by anyone *less* than a “nation state” would be pretty embarrassing, right?

    Suspect we might want to wait for data/evidence before taking a view on the actor[s].
    • Security companies and hackers lie a lot. That's why we have the phrase POC||GTFO. These guys haven't presented the evidence that a nation state attacked them. What are these "novel techniques" exactly, and why did anyone with these "advanced capabilities" want to steal average exploits from a second-rate security company?
    • by rtb61 ( 674572 )

      The difference between profits and losses for a internet security company is TAH DAH, how little they spend on actual security. The less they spend the more they keep and not only their own security but the customers as well.

      That is the reality, their profits are exactly the gap between the security they charge for and the cost of the actual security they provide, the bigger the gap, the bigger all the executives bonuses are. When a digital security company gets hacked, it is time for a new company to do yo

      • by rtb61 ( 674572 )

        PS more often than not it is a inside job. You get to keep want you do not spend on your won employees, the cheapest ones you could find to do the job and they can make a damn sight more by providing a back door into the system and whole lot more.

  • by malkavian ( 9512 ) on Tuesday December 08, 2020 @06:35PM (#60809586)

    You always need to win if you're defending. The attackers only need to win once.. Sooner or later, it's fairly inevitable that a concerted effort will compromise your security, no matter how good you are.

  • Remember HBGary (Score:5, Insightful)

    by AlanObject ( 3603453 ) on Tuesday December 08, 2020 @06:46PM (#60809628)

    I recall when the CEO of HB Gary got hacked. They were/are a contractor to the government responsible for security.

    The egregious part of it were the boastful statements the CEO was making before he got hacked. It then turned into pleading the hackers not to spill the goods. Very humiliating.

    Moral: if you work in security it doesn't pay to be arrogant.

    • 1. Nothing new under the sun.

      Leonardo (which is the biggest NATO security contractor) got breached too. It became public information this week.

      2. Security is no longer security. It was once upon a time (I actually worked in that area). Now it is 99% PR. You suck the correct balls, you regularly regurgitate shite and contracts rain from the correct institutions. Bonus points if you do it on days specified by your handler to ensure that it fits with a narrative campaign. An example here would be all "hack

  • If it is as good as fire eye identification of China and Russia persistent threats, then it can be someone like New Guinea. Or a pimple covered youth in a basement.

    Specifically, FireEye continues to "name and shame" for years after a set of hacker tools has been captured and shared inside alliances like 5 eyes, NATO, etc.

    What is the f*cking guarantee that a captured Fancy Bear toolkit which has ended up on the desk of let's say Erdogan's guys will not be reused? None. And that is the sharing we know of.

  • "FireEye, a Top Cybersecurity Firm"

    Maybe not as "top" as they were a few days ago.

  • ... with top-tier offensive capabilities.

    Is that what a kid in a basement is called these days?

  • First rule of “cybersecurity”, don't keep your secrets on a computer connected to the Internet.
  • /Clearly/... not.

    Also, if you've got any clue, you don't ever say "cyber" anymore.

Think of it! With VLSI we can pack 100 ENIACs in 1 sq. cm.!

Working...