Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

12/8/2020
05:25 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Nation-State Hackers Breached FireEye, Stole Its Red Team Tools

"Novel techniques" used by the attackers cheated security tools and forensics, according to FireEye CEO Kevin Mandia.

The cybersecurity firm best known for its incident response (IR) chops today said it had been breached by nation-state attackers who hacked into its systems and stole its red team tools. FireEye CEO Kevin Mandia revealed the hack in a blog post this afternoon, noting the company had contacted the FBI and is working with both the bureau and Microsoft in an investigation of the attack.

"This attack is different from the tens of thousands of incidents we have responded to throughout the years. The attackers tailored their world-class capabilities specifically to target and attack FireEye," Mandia said in the post. "They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past."

Related Content:

Mandia: Tipping Point Now Here for Rules of Cyber Engagement

The Changing Face of Threat Intelligence

New on The Edge: BECs and EACs: What's the Difference?

The attackers were after and got hold of some of FireEye's red team assessment tools the company uses in its customer engagements. Mandia said the company is providing methods and ways to detect any malicious use of the stolen tools. So far, there's no sign of the purloined FireEye tools being used in any attacks, but Mandia says his company has created "countermeasures" to detect or block the tools, as well as countermeasures in its own security products, which are now available on GitHub

FireEye did not reveal which nation-state is behind the attack, but The New York Times reported it's believed to be Russia. 

The attackers mostly were looking for information on specific FireEye government customers, but Mandia said it doesn't appear they accessed any customer information from its IR or consulting projects or any metadata collected by FireEye products. They did, however, access some internal FireEye systems, he said.

"If we discover that customer information was taken, we will contact them directly," Mandia said.

Mandia didn't disclose any specifics on how the attackers got past FireEye's own network defenses, but the attack raises age-old concerns about determined attackers' ability to crack even the most advanced security organizations. It's also reminiscent of the so-called Hacking Team's breach and leak of the NSA's hacking tools and the fallout with the EternalBlue exploit. 

John Bambenek, president of Bambenek Labs and a handler with the SANS Internet Storm Center, says the challenge will be getting widespread adoption of the countermeasures FireEye released.

"The countermeasures have to be adopted by everyone, and we know that isn't going to happen," he says. "The first thing everyone should be doing is applying these detection tools in the IDS/IPS devices and endpoint detection tools. The second thing is to have a deep understanding into how these tools work so when the attackers modify the tools to defeat the detection rules FireEye posted, [defenders] can identify more long-term detection mechanisms" to thwart the tools being used against them.

Bambenek says he thinks the attackers were mainly interested in FireEye's red team tools because of their ability to evade detection: "Why do R&D when you can just steal it from FireEye?"

Rick Holland, CISO and vice president of strategy at Digital Shadows, notes that if FireEye's red team tools leak, the fallout will be painful.

"If these tools become widely available, this will be another example of the attackers' barrier to entry getting lower and lower," he said in a statement. "The bottom line here: These tools making into the wrong hands will make defenders' lives more challenging." 

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
secdyne
50%
50%
secdyne,
User Rank: Apprentice
12/11/2020 | 3:49:04 PM
Re: Proof, yet again, that there is no such thing as computer security
Security is not a binary proposition...it's more analog. That said, any organization can be susceptible to a high capability threat actor. Despite this being the worst theft of cyberweapons (any tool can be weaponized) since the 2016 Shadowbrokers hitjob on the NSA, this incident will in my estimate force the evolution of countermeasures. 
tdsan
50%
50%
tdsan,
User Rank: Ninja
12/10/2020 | 3:15:44 PM
Re: Proof, yet again, that there is no such thing as computer security
Interesting, this is almost laughable. Accenture Government, Army, Airforce, Marriott, NSA and major government installations have allowed hacks to take place across the globe (Airforce - England, Accenture - China, Marriott - ???, NSA - Shadow Brokers and Ed. Snowden, FireEye - Russia, Army - ???, Personnel Division/State Dept - China Red Team, CapitalOne - Paige Thompson)

But one thing about a few of these attacks, specific attacks were identified as an inside attack. I do believe this was the same because they are a reputable securty company so this is surprising to hear.

Anyway, the investigation and unveiling the issue will soon begin.

FireEye
lancop
50%
50%
lancop,
User Rank: Moderator
12/9/2020 | 6:35:22 PM
Proof, yet again, that there is no such thing as computer security
After yaars of seeing companies with the best network security technologies in the world professionally deployed, operated and maintained, we witness, yet again, that there is no such thing as computer security. Only other targets being breached before they get around to you.

Especially troubling because we de-industrialized our economy in favor of the information economy, and now we know that IP can easily be stolen by foreign powers who want it badly enough. So, what really matters in the 21st century is who has the nimble industrial capability and financial capital to produce, market and improve whatever is successfully stolen from the company that did the hard work of inventing it.

The knowledge economy is no longer proprietary. Where does it leave us in the decades to come?
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: "Elon, I think our cover's been blown."
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-2296
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2297
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2298
PUBLISHED: 2021-04-22
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attac...
CVE-2021-2299
PUBLISHED: 2021-04-22
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful atta...
CVE-2021-2300
PUBLISHED: 2021-04-22
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of...