When companies or governments are attacked, they call in the experts. But what happens when a leading cybersecurity firm is hit? Threat actors are always evolving their tactics and finding new targets. In 2020, FireEye was involved at the very beginning of the massive cyberattack known as SolarWinds and witnessed firsthand the chaos that unfolded.
When an award-winning cybersecurity company is hacked, what does it mean for everyone else? FireEye is a California-based cybersecurity firm and has received multiple awards, such as the Cybersecurity Excellence Award in 2020 and 2021, Infosec Award and the Artificial Intelligence Applications to Autonomous Cybersecurity Challenge in 2019 and 2020. They have been part of the detection and prevention of major cyberattacks, such as hits against Target, JP Morgan Chase, Sony Pictures and Anthem, yet they were still able to be hacked, proving that everyone is susceptible.
FireEye was founded in 2004. At first, their main focus was on developing virtual machines to download and test internet traffic before transferring it to a corporate or government network. They started expanding in 2010 into the Middle East. In the following years, they grew into Asia Pacific, Europe and Africa. FireEye would identify a security breach, then partner with Mandiant to investigate who the hackers were. In 2013, FireEye acquired Mandiant, and it became a subsidiary.
Being hacked, at this point, is inevitable. But how a company responds to that situation can be the difference between making a comeback and losing credibility. FireEye has been open with the public about the breach on their systems and, during their investigation, found another major attack in progress. Unfortunately for many companies and government agencies, this was only the beginning of what would become an 18-month campaign.
On Dec. 8, 2020, FireEye announced they had been breached and that many of their tools had been stolen. They detected the hack almost immediately, so they were able to respond quickly and alert the public. Within days, multiple U.S. agencies were being targeted, such as the departments of State, Treasury, Commerce, Energy and Homeland Security, as well as the National Institutes of Health.
While investigating, FireEye experts found that the attacker targeted some of the Red Team assessment tools that are used to test their customers’ security. The tools imitate the behavior of cyber threat actors and do not contain zero-day exploits. Before they knew if the threat actors were going to use those stolen tools, FireEye developed hundreds of countermeasures for their customers in an effort to minimize the potential impact.
During FireEye’s investigation, they also found reasons to believe that it was a nation-state-backed attack. In a statement by Kevin Mandia, the company’s chief executive, “Based on my 25 years in cybersecurity and responding to incidents, I’ve concluded we are witnessing an attack by a nation with top-tier offensive capabilities. This attack is different from the tens of thousands of incidents we have responded to throughout the years. The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus.”
On Dec. 13, 2020, FireEye inadvertently uncovered a supply chain attack while still investigating its own vulnerabilities. They found evidence that hackers had entered a backdoor in the SolarWinds software and trojanized the SolarWinds Orion business update to distribute malware. This was the start of what led to the major SolarWinds attack. Within a week of the FireEye breach, their stolen tools had been used in at least 19 countries.
“What I’ve seen is 2020 has been about the hardest year, period, to be an information security officer,” FireEye CEO Kevin Mandia told All Things Considered co-host Mary Louise Kelly. “It’s time this nation comes up with some doctrine on what we expect nations’ rules of engagement to be, and what will our policy, or proportional response, be to folks who violate that doctrine. Because right now there’s absolutely an escalation in cyberspace.”
On Jan. 5, 2021, a joint statement by the Federal Bureau of Investigations (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the National Director of Intelligence (ODNI) and the National Security Agency (NSA) was released. It included their conclusion that the threat actor was likely a Russian group.
The SolarWinds effect
The SolarWinds attack was unprecedented due to the sheer breadth of damage it caused. It hit more than 250 federal agencies and businesses in essentially every major sector of the U.S. economy. The attack, amongst other factors, led the Biden administration to institute more Russian sanctions and restrictions.
Cybersecurity and securing federal and critical infrastructure have been big priorities for the Biden administration. An attack such as SolarWinds shows how catastrophic and intricate cyberattacks have become.
Cybersecurity companies are continually working on strengthening their defenses and responses. The FireEye attack illustrates that cybersecurity companies are not immune and could be easily targeted. Luckily for this attack, FireEye investigated and looked ahead to potential damage. They continued to seek out information about their adversaries and helped with the investigation in any way they could.