Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:25 PM
Connect Directly

Nation-State Hackers Breached FireEye, Stole Its Red Team Tools

"Novel techniques" used by the attackers cheated security tools and forensics, according to FireEye CEO Kevin Mandia.

The cybersecurity firm best known for its incident response (IR) chops today said it had been breached by nation-state attackers who hacked into its systems and stole its red team tools. FireEye CEO Kevin Mandia revealed the hack in a blog post this afternoon, noting the company had contacted the FBI and is working with both the bureau and Microsoft in an investigation of the attack.

"This attack is different from the tens of thousands of incidents we have responded to throughout the years. The attackers tailored their world-class capabilities specifically to target and attack FireEye," Mandia said in the post. "They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past."

Related Content:

Mandia: Tipping Point Now Here for Rules of Cyber Engagement

The Changing Face of Threat Intelligence

New on The Edge: BECs and EACs: What's the Difference?

The attackers were after and got hold of some of FireEye's red team assessment tools the company uses in its customer engagements. Mandia said the company is providing methods and ways to detect any malicious use of the stolen tools. So far, there's no sign of the purloined FireEye tools being used in any attacks, but Mandia says his company has created "countermeasures" to detect or block the tools, as well as countermeasures in its own security products, which are now available on GitHub

FireEye did not reveal which nation-state is behind the attack, but The New York Times reported it's believed to be Russia. 

The attackers mostly were looking for information on specific FireEye government customers, but Mandia said it doesn't appear they accessed any customer information from its IR or consulting projects or any metadata collected by FireEye products. They did, however, access some internal FireEye systems, he said.

"If we discover that customer information was taken, we will contact them directly," Mandia said.

Mandia didn't disclose any specifics on how the attackers got past FireEye's own network defenses, but the attack raises age-old concerns about determined attackers' ability to crack even the most advanced security organizations. It's also reminiscent of the so-called Hacking Team's breach and leak of the NSA's hacking tools and the fallout with the EternalBlue exploit. 

John Bambenek, president of Bambenek Labs and a handler with the SANS Internet Storm Center, says the challenge will be getting widespread adoption of the countermeasures FireEye released.

"The countermeasures have to be adopted by everyone, and we know that isn't going to happen," he says. "The first thing everyone should be doing is applying these detection tools in the IDS/IPS devices and endpoint detection tools. The second thing is to have a deep understanding into how these tools work so when the attackers modify the tools to defeat the detection rules FireEye posted, [defenders] can identify more long-term detection mechanisms" to thwart the tools being used against them.

Bambenek says he thinks the attackers were mainly interested in FireEye's red team tools because of their ability to evade detection: "Why do R&D when you can just steal it from FireEye?"

Rick Holland, CISO and vice president of strategy at Digital Shadows, notes that if FireEye's red team tools leak, the fallout will be painful.

"If these tools become widely available, this will be another example of the attackers' barrier to entry getting lower and lower," he said in a statement. "The bottom line here: These tools making into the wrong hands will make defenders' lives more challenging." 

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
12/11/2020 | 3:49:04 PM
Re: Proof, yet again, that there is no such thing as computer security
Security is not a binary proposition...it's more analog. That said, any organization can be susceptible to a high capability threat actor. Despite this being the worst theft of cyberweapons (any tool can be weaponized) since the 2016 Shadowbrokers hitjob on the NSA, this incident will in my estimate force the evolution of countermeasures. 
User Rank: Ninja
12/10/2020 | 3:15:44 PM
Re: Proof, yet again, that there is no such thing as computer security
Interesting, this is almost laughable. Accenture Government, Army, Airforce, Marriott, NSA and major government installations have allowed hacks to take place across the globe (Airforce - England, Accenture - China, Marriott - ???, NSA - Shadow Brokers and Ed. Snowden, FireEye - Russia, Army - ???, Personnel Division/State Dept - China Red Team, CapitalOne - Paige Thompson)

But one thing about a few of these attacks, specific attacks were identified as an inside attack. I do believe this was the same because they are a reputable securty company so this is surprising to hear.

Anyway, the investigation and unveiling the issue will soon begin.

User Rank: Moderator
12/9/2020 | 6:35:22 PM
Proof, yet again, that there is no such thing as computer security
After yaars of seeing companies with the best network security technologies in the world professionally deployed, operated and maintained, we witness, yet again, that there is no such thing as computer security. Only other targets being breached before they get around to you.

Especially troubling because we de-industrialized our economy in favor of the information economy, and now we know that IP can easily be stolen by foreign powers who want it badly enough. So, what really matters in the 21st century is who has the nimble industrial capability and financial capital to produce, market and improve whatever is successfully stolen from the company that did the hard work of inventing it.

The knowledge economy is no longer proprietary. Where does it leave us in the decades to come?
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-25
An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML ...
PUBLISHED: 2021-01-25
When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution. The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated blind OS Command Injection.
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a NULL Pointer Dereference that leads to a DoS in discoveryd