FireEye: There Was No Breach, Attacker Fabricated Documents

FireEye said that the attacker responsible for compromising two of its customers did so without any breach of its networks—despite “multiple failed attempts to do so.” Further, the pool of FireEye customers impacted remains standing at two.

As we reported last week, the cybersecurity company said that preliminary investigations showed that “at least two” of its customers had been impacted by a malicious actor. Now, chief security officer Steven Booth, in a blog post, confirmed this week that there are no further victims. 

“Two customer names were identified in the victim’s personal email and disclosed by the attacker. We believe these are the only two customers impacted by this incident,” he said. “We contacted the two identified customers as soon as we learned of this incident and have kept them apprised of the situation throughout the week.”

Further, the attacker claimed he had breached the FireEye corporate network, and said in a since-deleted Pastebin manifesto that his cache of ill-gotten goods contained “top secret document, complete business and personal emails dump, FireEye licenses, private contracts,” along with Mandiant internal network and client data. FireEye said that this picture is a complete fabrication.

In reality, the attacker was able to access, steal and publicly release only three FireEye corporate documents. The rest are faked screenshots or non-sensitive information.

“A number of the screen captures created by the attacker and posted online are misleading, and seem intentionally so,” Booth said. “They falsely implied successful access to our corporate network, despite the fact that we identified only failed login attempts from the attacker. All of the other documents released by the attacker [other than the three mentioned] were previously publicly available or were screen captures created by the attacker.”

Instead, the original compromise began with the capture of passwords and/or credentials to an individual’s personal social media and email accounts. FireEye refers to this individual only as “the victim,” but added that this person, apparently a FireEye employee or former employee, “supports a very small number of customers.” The company contained the victim’s systems, collected and reviewed forensic data from those systems, disabled victim’s FireEye corporate accounts and worked with the victim to regain control of his personal online accounts, including implementing multi-factor authentication where possible.

“The attacker did not breach, compromise or access the victim’s personal or corporate computers, laptops or other devices,” Booth said.

While spearphishing seems an obvious attack vector, the compromised credentials would have been an easy “get” for the attacker; they were already exposed in at least eight publicly disclosed third-party breaches (including LinkedIn), FireEye said, dating back to 2016 and earlier.

Starting in September 2016, the attacker used those stolen credentials to access several of the victim’s personal online accounts, including LinkedIn, Hotmail and OneDrive accounts.

What’s Hot on Infosecurity Magazine?