FireEye hacked by state-sponsored and sophisticated threat actors

Cybersecurity firm fell victim to a hacker attack: Red Team penetration testing tools stolen

A highly sophisticated actor hit FireEye - a company that helps customers with their security issues.

One of the largest firms that save people after security incidents and cyber attacks – FireEye, got affected by a highly sophisticated hacker attack.^[1] According to reports,^[2] the attack resulted in Red Team penetration testing tool theft. These tools get used to testing various defenses of FireEye customers. It is believed that the threat actors group is state-sponsored.^[3] When such tools get abused by malicious people it can lead to serious issues.

This attack is different from the tens of thousands of incidents we have responded to throughout the years.

FireEye does not identify the particular culprit who might be responsible for the breach or state when the track took place, but the firm is actively investigating.^[3] FBI relied on its Russain specialists, and the attack is possibly related to state-sponsored hackers affiliated with Russain SVR Foreign Intelligence Service.^[4]

Hacking tools can get abused to take control of any targeted systems

It is not known if these hacking tools got used in the wild, but when exploited, the equipment can be used to subvert security barriers and hack other systems. It is not disclosed that these Red Team penetration testing tools don't have zero-day^[5] capabilities. According to the official FireEye's response:

These tools mimic the behavior of many cyberthreat actors and enable FireEye to provide essential diagnostic security services to our customers. None of the tools contain zero-day exploits. Consistent with our goal to protect the community, we are proactively releasing methods and means to detect the use of our stolen red team tools.

But these tools are often used by security organizations that need to mimic real-world attacks and help customers avoid such incidents. Assessing the detection and response possibilities can help evaluate the security state of a particular enterprise. When these tools get stolen, it can make it so much easier for hackers to launch any attacks against victims.

Not a usual security incident that FireEye responds to

Information about government clients was a target, but there is no evidence that the attacker managed to exfiltrate any data related to incident response, metadata that gets collected by the security software, and other sensitive customer details.

Attackers altered their capabilities to attack FireEye, and according to the security firm's analysis, these malicious actors are trained in such operational security attacks. A novel combination of techniques not witnessed by other firms and FireEye themselves shows the sophistication of these criminals.

There are no specific details published on how or when the incident happened or how the company was identified. According to the company, the investigation involves the US Federal Bureau of Investigation and other partners like Microsoft. Further investigation is needed, and one of the partners in this, Microsoft, stated:

This incident demonstrates why the security industry must work together to defend against and respond to threats posed by well-funded adversaries using novel and sophisticated attack techniques. We commend FireEye for their disclosure and collaboration, so that we can all be better prepared.