Top US-based cyber security firm FireEye has suffered an attack by what it calls a "highly sophisticated state-sponsored adversary", which has seen its Red Team tools falling into the hands of bad actors.
In a press release, the company says because it believes these tools are in the wrong hands and has no idea whether the bad actor intends to use the tools themselves or publicly disclose them, it is releasing hundreds of countermeasures to enable the broader security community to protect themselves.
It says it has also incorporated the countermeasures in products, and shared them with partners, as well as government agencies to dramatically limit the ability of the attacker to exploit the tools.
A list of the countermeasures on the FireEye GitHub repository found here.
Red, Blue teams
A Red Team is a group of security professionals authorised and organised to mimic a potential adversary’s attack or exploitation capabilities against an enterprise’s security posture. The aim is to improve enterprise cyber security by demonstrating the impacts of successful attacks and by showing the defenders, also known as Blue Teams, how to counter them in an operational environment.
FireEye has been performing Red Team assessments for customers across the globe for over 15 years, during which time it has developed a set of scripts, tools, scanners, and techniques - which have now been stolen.
Top-tier offensive capabilities
Kevin Mandia, the chief executive of FireEye, said in a blog post based on his 25 years' experience in cyber security and responding to incidents.
“This attack is different from the tens of thousands of incidents we have responded to throughout the years," Mandia says. The attackers tailored their world-class capabilities specifically to target and attack FireEye.
"They are highly-trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past.”
The purloined tools range from simple scripts used for automating reconnaissance to entire frameworks that are similar to publicly available technologies such as CobaltStrike and Metasploit. Many of the Red Team tools have already been released to the community and are already distributed in the company’s open-source virtual machine, CommandoVM.
No zero-day exploits
On the plus side, FireEye says the tools that were stolen contained no zero-day exploits, and Mandia stresses that while the company does not believe that this theft will greatly advance the attacker’s overall capabilities, the company is doing everything in its power to prevent such a scenario.
To date, FireEye has not seen these tools disseminated or used by any adversaries, and is continuing to monitor for any such activity along with its security partners.
“We are actively investigating in coordination with the Federal Bureau of Investigation and other key partners, including Microsoft,” he adds.
Unanswered questions
Ilia Kolochenko, founder and chief architect at ImmuniWeb SA, says the incident appears to be quite "mysterious and obscure".
On the one hand, Kolochenko says, FireEye readily talks about a "highly sophisticated state-sponsored adversary", on the other, says that no zero-days or otherwise highly valuable data was stolen.
"Why would a nation-state APT ever bother to expose their own zero-days and advanced hacking techniques to get a collection of semi-public Red Teaming tools?"
According to him, too many critical questions remain unanswered, such as when did the incident happen, which systems are impacted, and what are the chances that customers’ data was compromised?
"We cannot exclude a probability that this specific incident was merely a smokescreen aimed to distract FireEye from a more important attack targeting clients’ data or ultra-confidential private research. More transparency is expected from FireEye to dispel the doubts and bring clarity.”
Share