Page last updated on April 11, 2024
Mandiant, Inc. initially disclosed a cybersecurity incident in an SEC 8-K filing on 2020-12-08 16:01:14 EST.
Incident Details
Material: Unknown
Is Breach: Unknown
Records Compromised: Unknown
Data Types Impacted: No Data Types Tracked (yet)
Compromised Date:
Detected Date:
Disclosure Date: 2020-12-08
Contained Date:
Recovered Date:
Attack Goal: Unknown
Costs: No Costs Tracked (yet)
Filings
8-K filed on 2020-12-08
Mandiant, Inc. filed an 8-K at 2020-12-08 16:01:14 EST
Accession Number: 0001370880-20-000037
Item 8.01 Other Events.
On December 8, 2020, concurrently with the filing of this Current Report on Form 8-K, FireEye, Inc. (“FireEye”, “we”, “our” or “us”) is announcing on our corporate blog that FireEye recently was attacked by a highly sophisticated cyber threat actor, one whose discipline, operational security, and techniques lead us to believe it was a state-sponsored attack. Based on his 25 years in cyber security and responding to incidents, Kevin Mandia, our Chief Executive Officer, concluded we are witnessing an attack by a nation with top-tier offensive capabilities. This attack is different from the tens of thousands of incidents we have responded to throughout the years. The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past. We are actively investigating in coordination with the Federal Bureau of Investigation and other key partners, including Microsoft. Their initial analysis supports our conclusion that this was the work of a highly sophisticated state-sponsored attacker utilizing novel techniques.
During our investigation to date, we have found that the attacker targeted and accessed certain Red Team assessment tools that we use to test our customers’ security. These tools mimic the behavior of many cyber threat actors and enable FireEye to provide essential diagnostic security services to our customers. None of the tools contain zero-day exploits. Consistent with our goal to protect the community, we are proactively releasing methods and means to detect the use of our stolen Red Team tools. We are not sure if the attacker intends to use our Red Team tools or to publicly disclose them. Nevertheless, out of an abundance of caution, we have developed more than 300 countermeasures for our customers, and the community at large, to use in order to minimize the potential impact of the theft of these tools. We have seen no evidence to date that any attacker has used the stolen Red Team tools. We, as well as others in the security community, will continue to monitor for any such activity. At this time, we want to ensure that the entire security community is both aware and protected against the attempted use of these Red Team tools.
Consistent with a nation-state cyber-espionage effort, the attacker primarily sought information related to certain government customers. While the attacker was able to access some of our internal systems, at this point in our investigation, we have seen no evidence that the attacker exfiltrated data from our primary systems that store customer information from our incident response or consulting engagements or the metadata collected by our products in our dynamic threat intelligence systems. If we discover that customer information was taken, we will contact them directly.
For additional information, please see FireEye’s corporate blog at fireeye.com/blog. We currently intend that any further announcements regarding the security incident will be disclosed on our corporate blog at fireeye.com/blog or social media (twitter.com/fireeye; twitter.com/mandiant; facebook.com/FireEye/; and/or linkedin.com/company/fireeye).
8-K filed on 2020-12-14
Mandiant, Inc. filed an 8-K at 2020-12-14 06:12:37 EST
Accession Number: 0001370880-20-000039
Item 8.01 Other Events.
On December 8, 2020, FireEye, Inc. (“FireEye”, “we”, “our” or “us”) filed a Current Report on Form 8-K and issued a blog post announcing a security incident. On December 13, 2020, we provided the following update on our investigation on our corporate blog at fireeye.com/blog.
We have identified a global campaign that introduces a compromise into the networks of public and private organizations through the software supply chain. This compromise is delivered through updates to a widely-used IT infrastructure management software - the Orion network monitoring product from SolarWinds. The campaign demonstrates top-tier operational tradecraft and resourcing consistent with state-sponsored threat actors.
Based on our analysis, the attacks that we believe have been conducted as part of this campaign share certain common elements:
- Use of malicious SolarWinds update: Inserting malicious code into legitimate software updates for the Orion software that allow an attacker remote access into the victim’s environment
- Light malware footprint: Using limited malware to accomplish the mission while avoiding detection
- Prioritization of stealth: Going to significant lengths to observe and blend into normal network activity
- High OPSEC: Patiently conducting reconnaissance, consistently covering their tracks, and using difficult-to-attribute tools
Based on our analysis, we have now identified multiple organizations where we see indications of compromise dating back to the Spring of 2020, and we are in the process of notifying those organizations. Our analysis indicates that these compromises are not self-propagating; each of the attacks require meticulous planning and manual interaction. Our ongoing investigation uncovered this campaign, and we are sharing this information consistent with our standard practice.
We have been in close coordination with SolarWinds, the Federal Bureau of Investigation, and other key partners. We believe it is critical to notify all our customers and the security community about this threat so organizations can take appropriate steps. As this activity is the subject of an ongoing FBI investigation, there are also limits to the information we are able to share at this time.
We have already updated our products to detect the known altered SolarWinds binaries. We are also scanning for any traces of activity by this actor and reaching out to both customers and non-customers if we see potential indicators.
For additional information, please see FireEye’s corporate blog at fireeye.com/blog. We currently intend that any further announcements regarding the security incident will be disclosed on our corporate blog at fireeye.com/blog or social media (twitter.com/fireeye; twitter.com/mandiant; facebook.com/FireEye/; and/or linkedin.com/company/fireeye).
Company Information
| Name | Mandiant, Inc. |
| CIK | 0001370880 |
| SIC Description | Computer Peripheral Equipment, NEC |
| Ticker | |
| Website | |
| Category | Large accelerated filer |
| Fiscal Year End | December 30 |