If one of the biggest names in cybersecurity can be breached, what chance does an average person stand against hackers?
That’s a likely question after high-profile cybersecurity firm FireEye earlier this week said hackers breached its network and stole the toolkit it uses to probe customers’ systems to find weaknesses.
The hack was conducted “by a nation with top-tier offensive capabilities,” FireEye CEO Kevin Mandia said Tuesday in a blog post. The company is investigating the incident, as is the Federal Bureau of Investigation, and companies such as Microsoft.
Mandia said there is no sign that the hackers have used the stolen tools, nor is there evidence that customer information was stolen, Mandia said. FireEye has developed more than 300 countermeasures against the tools for use by customers and the cybersecurity community.
The hackers “primarily sought information related to certain government customers,” Mandia said in the statement, without naming them.
Milpitas, California-based FireEye, which is publicly traded, has more than 9,600 customers globally including more than 1,000 government and law enforcement agencies.
Russian spies likely culprit in breach
The cybersecurity company did not identify a culprit, but the Russian SVR intelligence service is thought to have committed the breach, The Washington Post reported. This is the same Russian spy agency who in 2015 hacked the Democratic National Committee and have been accused of attempting to steal COVID-19 vaccine research data, The Post reported.
“Preliminary indications show an actor with a high level of sophistication consistent with a nation-state,” said Matt Gorham, assistant director of the FBI’s cyber division told The Post.
The hack was the biggest blow to the U.S. cybersecurity community since a mysterious group known as the “Shadow Brokers” in 2016 released a trove of high-level hacking tools stolen from the National Security Agency.
How did this happen?
Hacks will happen, especially with increased activity by bad actors’ during the coronavirus pandemic.
FireEye’s Mandia said that this attack is different in that “the attackers tailored their world-class capabilities specifically to target and attack FireEye. … They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past.”
Among the tools the hackers got were techniques known as “domain fronting,” the common use of popular brands’ domains including, in this case, Microsoft, The New York Times and USA TODAY.
The strategy here is that hackers assume that networks won’t deny access to heavily trafficked sites. So, for instance, an email addressed from usatoday.com or nytimes.com and carrying malware could infiltrate and infect a network.
FireEye’s exercises, conducted by its “Red Team,” would send internet traffic to disguised as coming from The New York Times or USA TODAY but never “actually went through the domains of either of those companies,” the company said in a statement to USA TODAY.
“We did not seek permission from the news outlets beforehand, nor would we normally seek permission for this kind of use, because we’re not using or sending traffic to their actual infrastructure or using their brands in commerce. It’s only the narrow targeting of specific users at our customer for the purpose of security assessment,” FireEye said. “We have been in communication with both the New York Times and USA Today following Tuesday’s announcement, and advised them of our use of this specific tool.
Other recent spoofed brands used in ransomware attacks include Amazon, Apple, UPS and Zoom.
How big a deal is it?
This is not the first time a cybersecurity firm has been targeted and the results “can have a long-term effect on organizations worldwide,” said Ilia Sotnikov, vice president of product management at cybersecurity software provider Netwrix. “This attack can also make advanced attacking tools and techniques available to wider population of less sophisticated cybercriminals.”
Companies’ cybersecurity teams should “immediately take advantage of countermeasures offered by FireEye” and be on the alert for additional security updates, he said. “This attack is another evidence that a motivated hacker will be able to compromise any organization, no matter how well it is protected. Our new normal right now is to be open about a data breach and own the message as FireEye did.”
FireEye’s “actions have been commendable,” tweeted Grady Summers, executive vice president for products for identity security software provider SailPoint. Summers, who previously worked at FireEye, responded to online criticism directed at FireEye in a thread of tweets.
“I think it would be justifiable to say that this breach – if never made public – would not have met the threshold for reporting due to adverse financial impact,” Summers said. “I believe that FireEye did this because their leadership team, starting with Kevin, is ethical in their DNA – and they care more about customers and the community more than they care about short-term impact to the stock price.”
And the breach won’t likely hurt FireEye’s competitiveness, he said. “They will rebuild their toolset and not miss a beat.”
What are average folks to do?
The good news for the average person is that any threat to them is low – be happy you are a small fish in a big cyber sea – but the threat to companies or government entities where they work is higher.
Since more Americans began working at home during the coronavirus pandemic, the likelihood of internal actions – including accidental lapses – has lead to an increase in cyber security incidents, Netwrix found.
While working, employees should remember to follow corporate cybersecurity advisories. “These tools primarily exploit corporate systems, but it is a good reminder for everyone to make sure they are keeping their personal devices, apps, and software up to date,” said Jerry Gamblin, director of security research at Kenna Security, which helps companies monitor and manage cyber risks.
“This would include downloading and installing updates for the phones, tablets, and computers that every member of your family uses,” Gamblin said.
People should focus on cybersecurity, especially in making strong passwords and not using them across different services, Microsoft said in a September report citing more sophisticated phishing campaigns.
“If you have a device with a password, then you must assume it has – or will be – compromised at some point,” said Nate Fick, general manager for data security firm Elastic .
Users should change passwords regularly – do not use the same one for multiple accounts – and opt-in on multi-factor authentication, which usually sends you a text or email to log in, he said.
“Every consumer should be concerned when they read about a widespread security breach, especially one where the perpetrator is identified as a nation-state and where the target has sophisticated defenses, as in this case,” Fick said. “A common philosophy among security professionals is to assume a state of compromise, and then act accordingly.”
Contributing: The Associated Press
Follow Mike Snider on Twitter: @MikeSnider.