FireEye identifies flaw in networking monitoring software as US agencies attacked

The UK’s National Cyber Security Centre (NCSC) is advising organisations to keep up to date with FireEye’s investigation into a security breach, which has identified a flaw in a network monitoring product from SolarWinds.

Last week, cyber attackers working on behalf of an undisclosed nation-state actor compromised the systems of FireEye and accessed and stole some hacking tools the company uses to conduct red team assessments of its customers’ security. 

Following early investigations of multiple organisations, FireEye said it had identified that compromises could date back to the spring of 2020 and it was in the process of notifying the organisations affected.

In a blogpost updating customers, FireEye said: “Our analysis indicates that these compromises are not self-propagating; each of the attacks requires meticulous planning and manual interaction. Our ongoing investigation uncovered this campaign, and we are sharing this information consistent with our standard practice.”

FireEye said it was coordinating with SolarWinds, the US Federal Bureau of Investigation (FBI) and other organisations. “We believe it is critical to notify all our customers and the security community about this threat so organisations can take appropriate steps,” it added. “As this activity is the subject of an ongoing FBI investigation, there are also limits to the information we are able to share at this time.”

FireEye said it had updated its products to “detect the known altered SolarWinds binaries”.

Meanwhile, the US government has told all federal civilian agencies to disconnect from SolarWinds after its treasury and commerce departments were hacked. The US Cybersecurity and Infrastructure Security Agency said the current hack could compromise government systems.

In the UK, the NCSC said it was working closely with FireEye and international partners in relation to the attack. “Investigations are ongoing, and we are working extensively with partners and stakeholders to assess any UK impact,” it said in a statement.

“The NCSC recommends that organisations read FireEye’s update on their investigation and follow the company’s suggested security mitigations.”

FireEye said organisations should ensure that any instances of SolarWinds Orion are configured according to the latest guidance. It said they should have these instances installed behind firewalls, disable internet access for the instances, and limit the ports and connections to only what is critical.

Chris Krebs, former US director of the Cybersecurity and Infrastructure Security Agency, tweeted: “If you’re a SolarWinds customer and use the [Orion] product, assume compromise and immediately activate your incident response team. Odds are you’re not affected, as this may be a resource intensive hack. Focus on your Crown Jewels. You can manage this.”

The attack on FireEye is reminiscent of the Shadow Brokers attacks on the US National Security Agency, which ultimately resulted in the theft of the exploits used in the devastating WannaCry attacks of May 2017.

The group went on to establish a subscription service for the purloined zero-day exploits, and there has been widespread speculation already that the FireEye incident may result in a similar outcome.

The attack also demonstrates that even with the optimum security controls and watertight policies in place, organisations have no control over whether or not they fall victim to a cyber attack.