This time Kevin Mandia got it himself. His company Fireeye hunts down hackers, Fireeye is one of the most famous cybersecurity companies in the world. It secured the US elections, and nation states call its teams when international hacker attacks are to be exposed. Now Mandia doesn’t have to report about a hacked country, but about its own company. Fireeye was hacked himself, by a rather sophisticated attacker, as Mandia emphasizes and must point out, after all, his company stands for cyber defense. “The discipline, the operational security and the techniques used indicate that the attacker was supported by a nation-state,” he writes on the company’s blog.

Mandia founded Red Cliff Consulting in 2004, the company was later renamed Mandiant. Then Mandiant was bought by Fireeye, today he is the CEO of the entire group. With 25 years of experience in the business, he now believes that only elite attackers can be behind the hack. The hack was tailored precisely to Fireeye, but the company does not reveal to what extent. He turned on the FBI. State authorities usually call on companies like Fireeye to investigate cyber incidents. Now it’s the other way around.


It is hardly to be expected that the FBI will have more technical and personnel know-how to solve the case. In fact, it is more likely to be about political support. Because Russian hackers are suspected. Fireeye himself has not accused Russia and does not want to commit itself when asked by SZ, but only a few nation states fit the description of the attackers by the company. Such top attackers only include: the USA itself, China and Russia. The New York Times According to the FBI, the case has been handed over to its own Russia specialists.

Digital weapons arsenal looted

According to Fireeye, the hackers primarily looted the company’s digital arsenal, the “Red Team” tools. Red teams are “good” hackers hired by companies who try to overcome the company’s IT security in so-called penetration tests that have been agreed in advance. To do this, they use tools that are similar to those that criminal hackers use for their raids. Fireeye’s digital tools could come in handy for state hackers, ex-NSA hacker Patrick Wardle said Times: “With the Fireeye tools, the hackers could attack high-risk targets – without much risk of being discovered themselves.”

The most capable groups of hackers are identified by the tools and techniques used in their attacks. New tools that have not been used for raids can therefore be a good catch for the hackers. Fireeye also emphasizes that the hackers were probably after these tools.


However, it seems unlikely that the alleged Russian attackers are targeting only the company’s own hacking tools. After all, they have shown that even without them, they are capable of breaking into the Fireeye network. Internal reports from the company should also be very interesting for hackers, such as forensic analyzes of past attacks on nation states, but also reports on penetration tests. Not all of the companies investigated by Fireeye will have immediately closed all security vulnerabilities discovered. Such information could be useful to the hackers on later raids. According to Fireeye, however, there is so far no evidence that such data has actually leaked.

As the CEO of a listed company, Kevin Mandia refers in the blog entry to US securities laws, according to which his sentences are to be understood as “forward-looking statements”. In terms of stock exchange law, this means: The level of knowledge can change at any time. At the latest when data and digital intrusion tools from Fireeye are used in spectacular hacks.