FireEye said a “highly sophisticated threat actor” stole its internal hacking tools in what the cybersecurity vendor believes was a nation-state attack targeting its government customers.

“Based on my 25 years in cybersecurity and responding to incidents, I’ve concluded we are witnessing an attack by a nation with top-tier offensive capabilities,” FireEye CEO Kevin Mandia wrote in a blog post. He did not name the suspected nation state or hacking group, but he added that FireEye is coordinating its investigation with the FBI and Microsoft.

FireEye’s breach disclosure comes a day after the U.S. National Security Agency warned that Russian state-sponsored hackers are actively exploiting a bug in VMware products used by the National Security System and the Department of Defense.

In attacking FireEye, the attackers used a combination of hacking techniques that Mandia said neither his company nor its partners have seen before.

“This attack is different from the tens of thousands of incidents we have responded to throughout the years,” he wrote. “The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination.”

FireEye determined that the nation state targeted and stole its Red Team tools that it uses to test its customers’ security. None of the tools contain zero-day exploits, Mandia said.

“We are not sure if the attacker intends to use our Red Team tools or to publicly disclose them,” he wrote. “Nevertheless, out of an abundance of caution, we have developed more than 300 countermeasures for our customers, and the community at large, to use in order to minimize the potential impact of the theft of these tools.”

The vendor already implemented the countermeasures in its security products, and shared them with the larger security sector so that other providers can update their security tools. Additionally, it made the countermeasures publicly available on GitHub.

And although the attacker gained access to some of FireEye’s internal system, Mandia said he hasn’t seen any evidence that the group stole any customer information in the attack.

In addition to government agencies, FireEye’s customers include defense contractors and major enterprises such as Equifax, Vodafone, and Infosys.

While FireEye didn’t disclose which nation state it believes to be responsible for the attack, some news organizations including the New York Times are reporting that the FBI turned the case over to its Russia specialists.

“Russia is a good guess,” said Gartner Research VP Peter Firstbrook. “It could be China as well or North Korea. All are pretty good state actors,” and any of the three would have a strong interest in stealing information from FireEye’s government and defense customers, he added.

Because the attacker used unknown techniques and tactics to breach FireEye, the security vendor likely detected the attack via telemetry that caught usual network behavior, Firstbrook said.

“The good news is, now we know about it, it’s really hard to replicate that success,” he added. “You have to come up with a brand-new technique that nobody’s seen before, because FireEye already shared that information with all the other defenders. So the good news is, this technique doesn’t work anymore. The bad news is, it worked the first time.”