Dear FireEye Partner,
Recently, we were attacked by a highly sophisticated threat actor, one whose discipline, operational security, and techniques lead us to believe it was a state-sponsored attack. We know the trust you have placed in FireEye, and we understand that trust is based on our expertise, our integrity—and our commitment to keep you informed. Therefore, we will be as transparent as possible and share details of the recent cyber attack against FireEye.
During our investigation to date, we have found that the attacker targeted and accessed certain Red Team assessment tools that we use to test our customers’ security. These tools mimic the behavior of many cyber threat actors and enable FireEye to provide essential diagnostic security services to our customers. None of the tools contain zero-day exploits.
Consistent with a nation-state cyber-espionage effort, the attacker primarily sought information related to certain government customers. While the attacker was able to access some of our internal systems, at this point in our investigation, we have seen no evidence that the attacker exfiltrated data from our primary systems that store customer information from our incident response or consulting engagements, or the metadata collected by our products in our dynamic threat intelligence systems. If we discover that customer information was taken, we will contact them directly.
We are actively investigating in coordination with the Federal Bureau of Investigation and other key partners, including Microsoft. Their initial analysis supports our conclusion that this was the work of a highly sophisticated state-sponsored attacker utilizing novel techniques.
At this time, we want to ensure that the entire security community is both aware of, and protected against, the attempted use of these Red Team tools. As part of our goal to protect the community, we are proactively releasing all the methods and means we know to detect the use of our stolen Red Team tools. We have developed more than 300 countermeasures that can detect or block the use of our stolen Red Team tools, which we have already uploaded into our security products. For more information on the actions that we are taking in response, please refer to our recent blog post.
We understand that you will have questions about what this means for you and our joint customers and will be holding a series of customer town halls starting Wednesday, December 9th. If you have any specific questions or need more information, please reach out to your partner representative or visit our partner portal here and community here, where you can find a list of responses to Frequently Asked Questions. In the event you are unable to attend one of these town halls, you will also have the opportunity to view a recording via the portal. We are committed to providing additional updates as we have more information to share.
FireEye is on the front lines defending companies and critical infrastructure globally from cyber threats. Over many years, we have identified, cataloged, and publicly disclosed the activities of many Advanced Persistent Threat (APT) groups, empowering the broader security community to detect and block new and emerging threats. It is not surprising that as a leading security firm, we would be targeted by highly sophisticated threat actors, including nation-states.
We’re confident in the efficacy of our products and the processes we use to refine them. We have learned and continue to learn more about our adversaries as a result of this attack, and the greater security community will emerge from this incident better protected. I want to personally thank you for the trust you have placed in FireEye, and you have my personal pledge that we will make sure this incident ultimately results in a safer security community that is better equipped to fight and defeat cyber attacks.
Kevin Mandia, CEO