Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

04:00 PM
Connect Directly

FireEye Breach Fallout Yet to Be Felt

Aftermath of the FireEye breach by Russia's foreign service agency raises concerns over what the attackers could do next - and how to defend against it.

FireEye's revelation earlier this week that it had been infiltrated by a nation-state hacking operation that stole its red-team hacking tools served as a chilling reminder to the security industry that no one is impermeable to an attack — not even a major incident response company more accustomed to probing and cleaning up the breaches of other high-profile organizations.

Several reports and sources say Russia's SVR foreign service agency, aka APT 29 or Cozy Bear, was the perpetrator. There are still plenty of unknowns about the attack: how the attackers got initial access to FireEye's systems, what defenses they bypassed and how, whether any Windows zero-days were used, and just what if any internal information they accessed on what FireEye CEO Kevin Mandia described as their ultimate target: "certain government customers" of the company.

While FireEye attempted to defang the attacker's ability to use its tools in attacks by publishing detailed mitigations, experts say APT29/Cozy Bear could use the purloined red-team tools to glean intel on its clients' weaknesses or even as a means to cause confusion and sow distrust — trademarks of Russian intelligence — of FireEye and the tools themselves, experts say.

Related Content:

Mandia: Tipping Point Now Here for Rules of Cyber Engagement

Building an Effective Cybersecurity Incident Response Team

New From The Edge: Next-Gen Firewalls 101: Not Just a Buzzword

There's also a risk of organizations that are not tuned into the FireEye breach mistaking Russian intel-controlled red-team maneuvers as legitimate FireEye red-team activity, for example, notes Steve Ryan, former deputy director of the National Security Agency's Threat Operations Center, and now CEO and co-founder of security startup Trinity Cyber.

"That puts everything into question. That's Russia's game," he says. "Sowing distrust on their [FireEye's] name and the concept of red teaming," he says, is another potential way they could inflict pain if concerns rise over FireEye's exposure.

"Then there's the risk of the weaponization of those tools: if these tools can be turned in a way to cause damage in some way and have it put back to FireEye, or succeed [in attacks] because it looks like a FireEye tool," Ryan says.

There's also an intel-gathering opportunity for the attackers with the stolen tools. Sounil Yu, CISO-in-residence at VC firm YL Ventures, says there is the possibility that the attackers could glean some intel about the FireEye clients whose networks have been probed by FireEye in red-team exercises. "They're [FireEye] going to have tools that work" on those government agencies who hire them for red teaming, he says.

"The presumption [is] that these tools are effective" against the targets, he says. "This [information] gives them [the attackers] an opportunity to target more efficiently" now, he says.

Dmitri Alperovitch, former CTO and co-founder of CrowdStrike, says he believes the red-team tool theft likely wasn't part of the original plan by the attackers. "I actually think the red-team tools were probably an opportunistic grab: 'While we're there, we might as well download them.'"

He says it's not surprising that the Russian SVR would employ previously unseen, novel attack methods and tactics for the FireEye attack operation. "The infrastructure they set up for this attack was done exclusively for [targeting] FireEye," he says. "SVR is very good — they are one of the best in Russian intel and they're always very stealthy. In this particular case, they have a very high-profile target, a very hard target, and to succeed ... they need to bring in their A game."

The specifics of the methods used in the attack remains a key missing piece that Alperovitch and other security experts hope FireEye eventually will reveal publicly.

"I hope they would share them," Alperovitch says, adding that FireEye's mitigation disclosure was important too. "They [FireEye] deserve a lot of credit for the mitigations for the stolen tools. ... That was a very good step."

FireEye's Mandia indeed has gotten plenty of props from security experts, even those from rival companies, for his relatively detailed disclosure of the attack. "What was really cool is they not only published the red-team tools the Russians stole, but the countermeasures of those tools," Trinity Cyber's Ryan says. That wasn't the case with the NSA's tool breach, he notes. "Everybody was kind of on their own" to defend against attacks using them, including the infamous EternalBlue exploit.

It's still unclear whether APT29 accessed any sensitive product information or FireEye intel on other threat actors. YL Ventures' Yu says access to FireEye's product suites could allow APT29 to find ways to bypass the technology, for example. "And FireEye spends a lot of time gathering information and tactics of other threat actor groups. That would be like a playbook of all of your competitors" for the attackers, he says.

Any security company is a big target of determined attackers. "Security companies are always one of top targets because of how much information they have and how much access they have to customer networks. Obviously, the ability to get into a security vendor can give you insight into the countermeasures they have, and [then] you can evade them to break into their customers' networks," Alperovitch says.

For its part, FireEye says it currently cannot provide any additional information about the attack beyond Mandia's disclosure post.

"We're actively investigating this incident with our partners at Microsoft and coordinating with the FBI. Please know that there may be some delay in our ability to share that information, as we do not want to do anything to interfere with the ability of the FBI to conduct its separate, ongoing investigation," a FireEye spokesperson said. "We want to be absolutely certain we obtain all the evidence available to us to further advance this case, and some disclosures at this point would jeopardize that collection."

Not the First
FireEye isn't alone. Several security companies have been breached over the past 10 years, including Bit9 (now part of VMware), Kaspersky, McAfee, RSA, and Symantec.

"Every security company now is hopefully on notice and thinking hard about how to protect themselves and how to be watchful. How you respond is indicative of how good you are," Alperovitch says.

Enterprise organizations, especially FireEye customers, should apply the mitigations FireEye released, as well as ensure they've applied security patches. Then there's the possibility of an upcoming Microsoft patch if indeed there was a zero-day involved, experts say.

"The fact that Microsoft is involved" indicates the attack could have employed a previously unknown Windows vulnerability, notes Peter Firstbrook, vice president of research at Gartner. "I suspect we're going to find out there was a zero-day."

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
12/12/2020 | 9:02:48 AM
Good Response FireEye
FireEye's release of countermeasures to their stolen tools was the right response! I'm not sure I've seen this before and I hope that they just set the standard. 
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-12
INTELBRAS TELEFONE IP TIP200 version allows an attacker to obtain sensitive information through /cgi-bin/cgiServer.exx.
PUBLISHED: 2021-04-12
** UNSUPPORTED WHEN ASSIGNED ** An issue was discovered on D-Link DIR-802 A1 devices through 1.00b05. Universal Plug and Play (UPnP) is enabled by default on port 1900. An attacker can perform command injection by injecting a payload into the Search Target (ST) field of the SSDP M-SEARCH discover pa...
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.2.0, BinaryHeap is not panic-safe. The binary heap is left in an inconsistent state when the comparison of generic elements inside sift_up or sift_down_range panics. This bug leads to a drop of zeroed memory as an arbitrary type, which can result in a memory ...
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, String::retain() function has a panic safety problem. It allows creation of a non-UTF-8 Rust string when the provided closure panics. This bug could result in a memory safety violation when other string APIs assume that UTF-8 encoding is used on the sam...
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, VecDeque::make_contiguous has a bug that pops the same element more than once under certain condition. This bug could result in a use-after-free or double free.