WASHINGTON – In years, cybersecurity firm FireEye has been the first to call government agencies and businesses around the world that have been hacked or feared it may be the case by the most sophisticated of attackers.
Now it looks like the hackers – in this case evidence suggests Russia's intelligence services – are demanding their revenge.
FireEye announced Tuesday that its own systems have been pierced by something called a "nation with first-class offensive capabilities". The company said hackers used "novel techniques" to get away with their own toolkit, which could be useful in launching new attacks around the world.
It was a staggering theft, similar to what happened to bank robbers who, after cleaning the local vaults, turned and used the F.B.I.'s investigative tools. stole. In fact, shortly after the exchange closed on Tuesday, FireEye said it had bought the F.B.I.
The $ 3.5 billion company, which makes part of its living identifying the culprits of some of the world's wildest violations – its clients included Sony and Equifax – declined to specifically say who did it was responsible. But his description and the fact that the F.B.I. turned the case over to its Russian specialists, leaving little doubt as to who the main suspects were and that they were after what the company calls "Red Team Tools".
These are essentially digital tools that emulate the most advanced hacking tools in the world. FireEye uses the tools – with permission from a customer company or a government agency – to scan for vulnerabilities in their systems. Most of the tools are based on a digital vault that FireEye closely monitors.
The F.B.I. confirmed on Tuesday that the hack was a state's job, but neither would it say which one. Matt Gorham, assistant director of the F.B.I. Cyber Division said, "The F.B.I. investigates the incident and preliminary evidence shows that an actor with a high degree of sophistication is compatible with a nation-state. "
The hack opens up the possibility that Russian intelligence agencies saw an advantage in stepping up the attack, while American attention – including that of FireEye – was on securing the presidential election system. At a moment when the country's public and private messaging systems were looking for violations of voter registration systems or voting machines, it may have been a good time for the Russian authorities involved in the 2016 election violations to turn their attention to other targets.
The hack was the largest known cybersecurity tool theft since the National Security Agency was stolen in 2016 by an unidentified group called ShadowBrokers. This group used the hacking tools of the N.S.A. put online over several months and handed over the "keys to the digital kingdom" to nation states and hackers, as a former N.S.A. Operator put it. North Korea and Russia ultimately used the stolen weapons of the N.S.A. in destructive attacks on government agencies, hospitals and the world's largest conglomerates – at a cost of more than 10 billion US dollars.
The tools of the N.S.A. were most likely more useful than FireEye's because the US government makes purpose-built digital weapons. FireEye's Red Team tools are largely based on malware that the company used in a wide variety of attacks.
The advantage of using stolen weapons, however, is that nation states can hide their own traces when launching attacks.
"Hackers could use FireEye's tools to hack high-risk, high-profile targets with plausible denial," said Patrick Wardle, a former N.S.A. Hacker who is now the principal security researcher at Jamf, a software company. "In risky environments, you don't want to burn your best tools. This gives advanced adversaries a chance to use other people's tools without burning their best skills."
A state-sponsored Chinese hacking group was previously attacked around the world with the hacking tools of the N.S.A. caught allegedly after using the tools of the N.S.A. discovered on their own systems. "It's like a no-brainer," said Mr. Wardle.
The injury is likely a black eye for FireEye. Investigators worked with Sony after the devastating 2014 attack, which the company later attributed to North Korea. It was FireEye that was called after the State Department and other American government agencies were violated by Russian hackers in 2015. Its key corporate customers include Equifax, the credit watchdog service hacked three years ago that affected nearly half of the American population.
In the FireEye attack, the hackers went to extraordinary lengths to avoid being seen. They created several thousand internet protocol addresses – many within the United States – that have never been used in an attack. By using these addresses to orchestrate their attack, the hackers could better hide their whereabouts.
"This attack is different from the tens of thousands of incidents we have responded to over the years," said Kevin Mandia, FireEye CEO. (He was the founder of Mandiant, a company that acquired FireEye in 2014.)
But FireEye said it is still under investigation into how the hackers breached their best-protected systems. Details were thin.
Mr. Mandia, a former Air Force intelligence officer, said the attackers had "tailored and attacked their world-class skills specifically for FireEye." He said they appeared to be highly skilled in "operational safety" and displayed "discipline and focus" while secretly moving to avoid detection of security tools and forensic investigation. Google, Microsoft, and other cybersecurity research companies said they had never seen some of these techniques.
FireEye also released key elements of its "Red Team" tools so that others around the world can see attacks.
American investigators are trying to determine whether the attack is in any way related to another sophisticated operation that the N.S.A. said Russia lagged behind on Monday's warning. This leads to a type of software called VM for virtual machines that is widely used by defense companies and manufacturers. The N.S.A. declined to say what the targets of this attack were. It is unclear whether the Russians used their success in this injury to get into FireEye's systems.
The attack on FireEye could be some kind of retaliation. The company's investigators have repeatedly called units of the Russian military intelligence – the G.R.U., the S.V.R. and the F.S.B., the successor organization to the Soviet K.G.B. – for high profile hacks in the power grid in Ukraine and in American communities. They were also the first to call the Russian hackers behind an attack that successfully dismantled industrial safety locks at a Saudi petrochemical plant. This was the very last step before an explosion occurred.
"The Russians believe in revenge," said James A. Lewis, a cybersecurity expert at the Center for Strategic and International Studies in Washington. "Suddenly FireEye's customers are vulnerable."
On Tuesday, Russia's National Association for International Information Security hosted a forum with global security experts in which Russian officials reiterated that there was no evidence that their hackers were responsible for attacks leading to US sanctions and charges.