Nation-State Hackers Breached FireEye, Stole Its Red Team Tools

Novel techniques used by the attackers cheated security tools and forensics, according to FireEye CEO Kevin Mandia.

Dark Reading logo in a gray background | Dark Reading

The cybersecurity firm best known for its incident response (IR) chops today said it had been breached by nation-state attackers who hacked into its systems and stole its red team tools. FireEye CEO Kevin Mandia revealed the hack in a blog post this afternoon, noting the company had contacted the FBI and is working with both the bureau and Microsoft in an investigation of the attack.

"This attack is different from the tens of thousands of incidents we have responded to throughout the years. The attackers tailored their world-class capabilities specifically to target and attack FireEye," Mandia said in the post. "They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past."

The attackers were after and got hold of some of FireEye's red team assessment tools the company uses in its customer engagements. Mandia said the company is providing methods and ways to detect any malicious use of the stolen tools. So far, there's no sign of the purloined FireEye tools being used in any attacks, but Mandia says his company has created "countermeasures" to detect or block the tools, as well as countermeasures in its own security products, which are now available on GitHub

FireEye did not reveal which nation-state is behind the attack, but The New York Times reported it's believed to be Russia. 

The attackers mostly were looking for information on specific FireEye government customers, but Mandia said it doesn't appear they accessed any customer information from its IR or consulting projects or any metadata collected by FireEye products. They did, however, access some internal FireEye systems, he said.

"If we discover that customer information was taken, we will contact them directly," Mandia said.

Mandia didn't disclose any specifics on how the attackers got past FireEye's own network defenses, but the attack raises age-old concerns about determined attackers' ability to crack even the most advanced security organizations. It's also reminiscent of the so-called Hacking Team's breach and leak of the NSA's hacking tools and the fallout with the EternalBlue exploit. 

John Bambenek, president of Bambenek Labs and a handler with the SANS Internet Storm Center, says the challenge will be getting widespread adoption of the countermeasures FireEye released.

"The countermeasures have to be adopted by everyone, and we know that isn't going to happen," he says. "The first thing everyone should be doing is applying these detection tools in the IDS/IPS devices and endpoint detection tools. The second thing is to have a deep understanding into how these tools work so when the attackers modify the tools to defeat the detection rules FireEye posted, [defenders] can identify more long-term detection mechanisms" to thwart the tools being used against them.

Bambenek says he thinks the attackers were mainly interested in FireEye's red team tools because of their ability to evade detection: "Why do R&D when you can just steal it from FireEye?"

Rick Holland, CISO and vice president of strategy at Digital Shadows, notes that if FireEye's red team tools leak, the fallout will be painful.

"If these tools become widely available, this will be another example of the attackers' barrier to entry getting lower and lower," he said in a statement. "The bottom line here: These tools making into the wrong hands will make defenders' lives more challenging." 

About the Author

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights