Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:25 PM
Connect Directly

Nation-State Hackers Breached FireEye, Stole Its Red Team Tools

"Novel techniques" used by the attackers cheated security tools and forensics, according to FireEye CEO Kevin Mandia.

The cybersecurity firm best known for its incident response (IR) chops today said it had been breached by nation-state attackers who hacked into its systems and stole its red team tools. FireEye CEO Kevin Mandia revealed the hack in a blog post this afternoon, noting the company had contacted the FBI and is working with both the bureau and Microsoft in an investigation of the attack.

"This attack is different from the tens of thousands of incidents we have responded to throughout the years. The attackers tailored their world-class capabilities specifically to target and attack FireEye," Mandia said in the post. "They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past."

Related Content:

Mandia: Tipping Point Now Here for Rules of Cyber Engagement

The Changing Face of Threat Intelligence

New on The Edge: BECs and EACs: What's the Difference?

The attackers were after and got hold of some of FireEye's red team assessment tools the company uses in its customer engagements. Mandia said the company is providing methods and ways to detect any malicious use of the stolen tools. So far, there's no sign of the purloined FireEye tools being used in any attacks, but Mandia says his company has created "countermeasures" to detect or block the tools, as well as countermeasures in its own security products, which are now available on GitHub

FireEye did not reveal which nation-state is behind the attack, but The New York Times reported it's believed to be Russia. 

The attackers mostly were looking for information on specific FireEye government customers, but Mandia said it doesn't appear they accessed any customer information from its IR or consulting projects or any metadata collected by FireEye products. They did, however, access some internal FireEye systems, he said.

"If we discover that customer information was taken, we will contact them directly," Mandia said.

Mandia didn't disclose any specifics on how the attackers got past FireEye's own network defenses, but the attack raises age-old concerns about determined attackers' ability to crack even the most advanced security organizations. It's also reminiscent of the so-called Hacking Team's breach and leak of the NSA's hacking tools and the fallout with the EternalBlue exploit. 

John Bambenek, president of Bambenek Labs and a handler with the SANS Internet Storm Center, says the challenge will be getting widespread adoption of the countermeasures FireEye released.

"The countermeasures have to be adopted by everyone, and we know that isn't going to happen," he says. "The first thing everyone should be doing is applying these detection tools in the IDS/IPS devices and endpoint detection tools. The second thing is to have a deep understanding into how these tools work so when the attackers modify the tools to defeat the detection rules FireEye posted, [defenders] can identify more long-term detection mechanisms" to thwart the tools being used against them.

Bambenek says he thinks the attackers were mainly interested in FireEye's red team tools because of their ability to evade detection: "Why do R&D when you can just steal it from FireEye?"

Rick Holland, CISO and vice president of strategy at Digital Shadows, notes that if FireEye's red team tools leak, the fallout will be painful.

"If these tools become widely available, this will be another example of the attackers' barrier to entry getting lower and lower," he said in a statement. "The bottom line here: These tools making into the wrong hands will make defenders' lives more challenging." 

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
12/11/2020 | 3:49:04 PM
Re: Proof, yet again, that there is no such thing as computer security
Security is not a binary proposition...it's more analog. That said, any organization can be susceptible to a high capability threat actor. Despite this being the worst theft of cyberweapons (any tool can be weaponized) since the 2016 Shadowbrokers hitjob on the NSA, this incident will in my estimate force the evolution of countermeasures. 
User Rank: Ninja
12/10/2020 | 3:15:44 PM
Re: Proof, yet again, that there is no such thing as computer security
Interesting, this is almost laughable. Accenture Government, Army, Airforce, Marriott, NSA and major government installations have allowed hacks to take place across the globe (Airforce - England, Accenture - China, Marriott - ???, NSA - Shadow Brokers and Ed. Snowden, FireEye - Russia, Army - ???, Personnel Division/State Dept - China Red Team, CapitalOne - Paige Thompson)

But one thing about a few of these attacks, specific attacks were identified as an inside attack. I do believe this was the same because they are a reputable securty company so this is surprising to hear.

Anyway, the investigation and unveiling the issue will soon begin.

User Rank: Moderator
12/9/2020 | 6:35:22 PM
Proof, yet again, that there is no such thing as computer security
After yaars of seeing companies with the best network security technologies in the world professionally deployed, operated and maintained, we witness, yet again, that there is no such thing as computer security. Only other targets being breached before they get around to you.

Especially troubling because we de-industrialized our economy in favor of the information economy, and now we know that IP can easily be stolen by foreign powers who want it badly enough. So, what really matters in the 21st century is who has the nimble industrial capability and financial capital to produce, market and improve whatever is successfully stolen from the company that did the hard work of inventing it.

The knowledge economy is no longer proprietary. Where does it leave us in the decades to come?
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-15
In pb_write of pb_encode.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-178754781
PUBLISHED: 2021-04-15
CASAP Automated Enrollment System version 1.0 contains a cross-site scripting (XSS) vulnerability through the Students > Edit > ROUTE parameter.
PUBLISHED: 2021-04-15
Cross Site Scripting (XSS) in the "add-services.php" component of PHPGurukul Beauty Parlour Management System v1.0 allows remote attackers to execute arbitrary code by injecting arbitrary HTML into the "sername" parameter.
PUBLISHED: 2021-04-15
SQL Injection in the "add-services.php" component of PHPGurukul Beauty Parlour Management System v1.0 allows remote attackers to obtain sensitive database information by injecting SQL commands into the "sername" parameter.
PUBLISHED: 2021-04-15
Exposure of Sensitive Information in the web interface in McAfee Advanced Threat Defense (ATD) prior to 4.12.2 allows remote authenticated users to view sensitive unencrypted information via a carefully crafted HTTP request parameter. The risk is partially mitigated if your ATD instances are deploye...