FireEye's revelation earlier this week that it had been infiltrated by a nation-state hacking operation that stole its red-team hacking tools served as a chilling reminder to the security industry that no one is impermeable to an attack — not even a major incident response company more accustomed to probing and cleaning up the breaches of other high-profile organizations.
Several reports and sources say Russia's SVR foreign service agency, aka APT 29 or Cozy Bear, was the perpetrator. There are still plenty of unknowns about the attack: how the attackers got initial access to FireEye's systems, what defenses they bypassed and how, whether any Windows zero-days were used, and just what if any internal information they accessed on what FireEye CEO Kevin Mandia described as their ultimate target: "certain government customers" of the company.
While FireEye attempted to defang the attacker's ability to use its tools in attacks by publishing detailed mitigations, experts say APT29/Cozy Bear could use the purloined red-team tools to glean intel on its clients' weaknesses or even as a means to cause confusion and sow distrust — trademarks of Russian intelligence — of FireEye and the tools themselves, experts say.
There's also a risk of organizations that are not tuned into the FireEye breach mistaking Russian intel-controlled red-team maneuvers as legitimate FireEye red-team activity, for example, notes Steve Ryan, former deputy director of the National Security Agency's Threat Operations Center, and now CEO and co-founder of security startup Trinity Cyber.
"That puts everything into question. That's Russia's game," he says. "Sowing distrust on their [FireEye's] name and the concept of red teaming," he says, is another potential way they could inflict pain if concerns rise over FireEye's exposure.
"Then there's the risk of the weaponization of those tools: if these tools can be turned in a way to cause damage in some way and have it put back to FireEye, or succeed [in attacks] because it looks like a FireEye tool," Ryan says.
There's also an intel-gathering opportunity for the attackers with the stolen tools. Sounil Yu, CISO-in-residence at VC firm YL Ventures, says there is the possibility that the attackers could glean some intel about the FireEye clients whose networks have been probed by FireEye in red-team exercises. "They're [FireEye] going to have tools that work" on those government agencies who hire them for red teaming, he says.
"The presumption [is] that these tools are effective" against the targets, he says. "This [information] gives them [the attackers] an opportunity to target more efficiently" now, he says.
Dmitri Alperovitch, former CTO and co-founder of CrowdStrike, says he believes the red-team tool theft likely wasn't part of the original plan by the attackers. "I actually think the red-team tools were probably an opportunistic grab: 'While we're there, we might as well download them.'"
He says it's not surprising that the Russian SVR would employ previously unseen, novel attack methods and tactics for the FireEye attack operation. "The infrastructure they set up for this attack was done exclusively for [targeting] FireEye," he says. "SVR is very good — they are one of the best in Russian intel and they're always very stealthy. In this particular case, they have a very high-profile target, a very hard target, and to succeed ... they need to bring in their A game."
The specifics of the methods used in the attack remains a key missing piece that Alperovitch and other security experts hope FireEye eventually will reveal publicly.
"I hope they would share them," Alperovitch says, adding that FireEye's mitigation disclosure was important too. "They [FireEye] deserve a lot of credit for the mitigations for the stolen tools. ... That was a very good step."
FireEye's Mandia indeed has gotten plenty of props from security experts, even those from rival companies, for his relatively detailed disclosure of the attack. "What was really cool is they not only published the red-team tools the Russians stole, but the countermeasures of those tools," Trinity Cyber's Ryan says. That wasn't the case with the NSA's tool breach, he notes. "Everybody was kind of on their own" to defend against attacks using them, including the infamous EternalBlue exploit.
It's still unclear whether APT29 accessed any sensitive product information or FireEye intel on other threat actors. YL Ventures' Yu says access to FireEye's product suites could allow APT29 to find ways to bypass the technology, for example. "And FireEye spends a lot of time gathering information and tactics of other threat actor groups. That would be like a playbook of all of your competitors" for the attackers, he says.
Any security company is a big target of determined attackers. "Security companies are always one of top targets because of how much information they have and how much access they have to customer networks. Obviously, the ability to get into a security vendor can give you insight into the countermeasures they have, and [then] you can evade them to break into their customers' networks," Alperovitch says.
For its part, FireEye says it currently cannot provide any additional information about the attack beyond Mandia's disclosure post.
"We're actively investigating this incident with our partners at Microsoft and coordinating with the FBI. Please know that there may be some delay in our ability to share that information, as we do not want to do anything to interfere with the ability of the FBI to conduct its separate, ongoing investigation," a FireEye spokesperson said. "We want to be absolutely certain we obtain all the evidence available to us to further advance this case, and some disclosures at this point would jeopardize that collection."
Not the First
FireEye isn't alone. Several security companies have been breached over the past 10 years, including Bit9 (now part of VMware), Kaspersky, McAfee, RSA, and Symantec.
"Every security company now is hopefully on notice and thinking hard about how to protect themselves and how to be watchful. How you respond is indicative of how good you are," Alperovitch says.
Enterprise organizations, especially FireEye customers, should apply the mitigations FireEye released, as well as ensure they've applied security patches. Then there's the possibility of an upcoming Microsoft patch if indeed there was a zero-day involved, experts say.
"The fact that Microsoft is involved" indicates the attack could have employed a previously unknown Windows vulnerability, notes Peter Firstbrook, vice president of research at Gartner. "I suspect we're going to find out there was a zero-day."