Security Experts:

Connect with us

Hi, what are you looking for?


Endpoint Security

FireEye Says ‘Sophisticated’ Hacker Stole Red Team Tools

Cybersecurity Firm Shares Countermeasures With Partners and Government Agencies to Blunt the Effects of the Breach

Cybersecurity Firm Shares Countermeasures With Partners and Government Agencies to Blunt the Effects of the Breach

Cybersecurity powerhouse FireEye late Tuesday acknowledged that a “highly sophisticated” threat actor broke into its corporate network and stole a range of automated hacking tools and scripts.

The breach, likely the work of a nation-state backed actor, follows a pattern of advanced threat actors targeting security vendors. FireEye said the stolen red-team tools are publicly available and have been modified to evade basic security detection mechanisms. 

FireEye Logo“Because we believe that an adversary possesses these tools, and we do not know whether the attacker intends to use the stolen tools themselves or publicly disclose them, FireEye is releasing hundreds of countermeasures with this blog post to enable the broader security community to protect themselves against these tools,” FireEye said in a blog post announcing the intrusion.

“We have incorporated the countermeasures in our FireEye products—and shared these countermeasures with partners, government agencies—to significantly limit the ability of the bad actor to exploit the Red Team tools,” the company added.

FireEye said the tools stolen by the attacker did not contain zero-day exploits. “The tools apply well-known and documented methods that are used by other red teams around the world. 

“Although we do not believe that this theft will greatly advance the attacker’s overall capabilities, FireEye is doing everything it can to prevent such a scenario,” it added.

FireEye CEO Kevin Mandia said the company was specifically targeted by the attacker. “Based on my 25 years in cyber security and responding to incidents, I’ve concluded we are witnessing an attack by a nation with top-tier offensive capabilities,” Mandia said in a separate statement.

“This attack is different from the tens of thousands of incidents we have responded to throughout the years. The attackers tailored their world-class capabilities specifically to target and attack FireEye,” he added.

Mandia also disclosed that the attacker primarily sought information related to “certain government customers.” 

“While the attacker was able to access some of our internal systems, at this point in our investigation, we have seen no evidence that the attacker exfiltrated data from our primary systems that store customer information from our incident response or consulting engagements, or the metadata collected by our products in our dynamic threat intelligence systems. If we discover that customer information was taken, we will contact them directly,” the chief executive added.

FireEye isn’t the first big-name security vendor to suffer a breach at the hands of nation-state backed threat actors. In 2015, Kaspersky acknowledged its network was compromised by a threat actor known publicly as Duqu and linked to a nation-state. Other security companies breached over the years include RSA Security in 2011, Symantec in 2012, and Bit9 in 2013.

“If a nation-state with all of its resources targets an organization, the chances are very high that the adversary will be successful,” Rick Holland, Chief Information Security Officer, Vice President Strategy at Digital Shadows, told SecurityWeek. “Intelligence agencies can accomplish their missions, so defenders ultimately have to fall back to detection and response. The adage, ‘those who live in glass houses should not throw stones,’ applies here. Any organization can be compromised; it is how you respond to an intrusion that determines its severity.”

“Hopefully, these tools don’t make their way into the public’s hands,” Holland continued. “We have seen the damaging impact of Hacking Team and the NSA’s EternalBlue tool leaks/disclosures. If these tools become widely available, this will be another example of the attackers’ barrier to entry getting lower and lower. The bottom line here: these tools making into the wrong hands will make defenders’ lives more challenging.”

Shares of publicly traded FireEye (NASDAQ: FEYE) were trading down nearly 8% in after hours trading Tuesday, after enoying a recent rise following a $400 million strategic investmentled by investment giant Blackstone announced in late November.

Related: FireEye Says Was Hacked by Nation State

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

Varied viewpoints as related security concepts take on similar traits create substantial confusion among security teams trying to evaluate and purchase security technologies.

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...