Cybersecurity firm FireEye says it was targeted by international hackers

Kevin Mandia, Chief Executive of FireEye
Kevin Mandia, Chief Executive of FireEye, testifies before the Senate Intelligence Committee hearing on Capitol Hill in Washington in 2017 on Russian intelligence activities.
(Susan Walsh / AP Photo

The cybersecurity firm FireEye Inc. said it had been hacked and that the attackers stole tools the company uses to test the defenses of its customers’ computer networks to find potential vulnerabilities.

The attackers were a “nation with top-tier offensive capabilities,” Chief Executive Kevin Mandia said. He didn’t identify the country suspected to be behind the attack.

“The attackers tailored their world-class capabilities specifically to target and attack FireEye,” Mandia said Tuesday in a company blog . “They are highly trained in operational security and executed with discipline and focus.”

The tools taken, known as “red team tools” in the security community, mimic the behavior of hackers and enable FireEye to provide “diagnostic security services” to customers, Mandia said. He said the company had seen no evidence that anyone had used the tools in a cyberattack.

FireEye shares dropped 7.5% in extended trading after the incident was announced.

The hack was discovered in recent weeks by FireEye, when it found a suspicious log in that had surpassed the two-factor authentication requirement on its virtual private network, according to the company. The attackers carried out the hack from two dozen IP addresses based in the U.S., none of which have been detected as part of a cyberattack before — the type of sophisticated tactics that led FireEye to believe a foreign intelligence service was behind the incident.


“Consistent with a nation-state cyber-espionage effort, the attacker primarily sought information related to certain government customers,” Mandia wrote. He added that, although the hackers accessed “some of our internal systems,” they didn’t appear to steal customer data.

FireEye is investigating the attack with the FBI and Microsoft Corp. The company is also publishing information that can help neutralize the tools that were stolen.

The case has similarities to a breach of the National Security Agency, when hackers stole U.S. cyberweapons and a mysterious group known as the “Shadow Brokers” published them online starting in 2016.

“This incident demonstrates why the security industry must work together to defend against and respond to threats posed by well-funded adversaries using novel and sophisticated attack techniques,” Microsoft said in a statement, which also commended FireEye for disclosing the breach.