Cybersecurity firm FireEye this week revealed that a highly sophisticated threat group likely sponsored by a foreign government breached its network and stole some of its Red Team tools.
The compromised tools did not contain any zero-day exploits or novel techniques, and FireEye said they would likely not advance the attacker’s overall capabilities too much.
FireEye said it was unclear if the attackers were planning on using the stolen tools themselves or if they intended to make them public. Nevertheless, the company decided to release hundreds of countermeasures to help others detect potential attacks employing the compromised tools.
The firm claimed it had found no indication that the attackers exfiltrated data related to customers or its threat intelligence systems.
Industry professionals have commented on the hack, including the attackers’ possible motives and the incident’s overall implications.
And the feedback begins…
Greg Touhill, President, AppGate Federal Group:
“Thoughts from my perch:
- Initial reports are often wrong or incomplete. Nevertheless, the initial reporting indicates a significant attack that has far-ranging impact
- This is a real coup for the attacker. FireEye has a significant customer base, especially in the government sector, and the information obtained is not trivial. The attacker can use the information to refine their tactics, techniques, and procedures in numerous other attacks/campaigns
- Kevin Mandia continues to be one of the straight-shooters in the business and is demonstrating leadership in disclosing this attack.
Why the attackers would target this FireEye information:
- Reading the proprietary FireEye information can help the adversary understand what parts of the attacker’s arsenal has been figured out by FireEye (and potentially the US government) and what hasn’t, thereby providing invaluable intelligence that can be used to refine the attacker’s arsenal.
- Reading FireEye’s playbook may also provide the nation-state actor clues on new tools they should develop to neutralize FireEye (and potentially US government) tools and tactics, techniques and procedures (TTPs).
- Reading FireEye’s proprietary reports on FireEye’s red team and pentest customers provides a rich treasure trove of information that can inform further campaigns.
- Reading FireEye’s data may provide a phenomenal source of information on the cyber activities of other nation-state actor groups against FireEye customers. This information can be used to create controls and counter-measures against those potential foes OR be used to masquerade future attacks against targets to make it appear the attacks are coming from a different nation-state actor”
Eyal Wachsman, Co-Founder & CEO, Cymulate:
“The attack on FireEye and potential exfiltration of code or data is every security vendor’s worst nightmare, and a primary concern for their customers.
Given the high calibre of attack, it is highly unlikely that the attack tools stolen were the ultimate goal, because if you can breach FireEye, these tools don’t add value to you. Similar to the RSA breach, it is more realistic to think that the threat actors wanted access to highly sensitive defense industry information.
All software companies, even security vendors such as Kaspersky, Bit9 and RSA have their share of bugs in their code that could provide a backdoor to hackers. Until it is clear whether or not the breach includes code or sensitive data that may provide access to customer networks, they should remain extremely vigilant.”
Roger Hale, Chief Security Officer, BigID:
“A company’s brand and reputation will definitely be impacted by a breach, but it is how a company responds that will determine the magnitude of that impact. And as a security professional, my first take on FireEye’s disclosure of the attack is they are doing it right. FireEye’s stock dropped 7% in after hour stock trading, but in the long term, FireEye’s response to the breach will support the company’s quick recovery. They publicly and responsibly disclosed the breach. They are sharing IOCs and countermeasures for the stolen tech publicly to allow companies to implement protections. While I expect their recovery to be quick, they will have to absorb the cost to develop new “red team tools” to replace those that are now compromised, and they will likely need to engage in the new community discussion regarding the risk of these proprietary tools being made, as opposed to using open source tooling.
Everyone can be hacked – FireEye is not the first, nor will they be the last security company to be successfully attacked. Any good security program must include response recovery and a return to normal operations, and the first step in that process is knowing what was compromised and how it was compromised. Addressing this issue requires a mature security program that includes knowing where your critical assets are, how they are protected, monitoring, response and recovery.”
Brandon Hoffman, Chief Information Security Officer, Netenrich:
“Very interesting that they stole the red team toolkit from FireEye. Most likely they plan to use this commodity type tooling to cover up their tracks so as to not expose their own custom tools and save those for special attacks or second stage attacks.”
Ilia Kolochenko, Founder and Chief Architect, ImmuniWeb:
“The incident seems to be quite mysterious and obscure. On one side, FireEye readily talks about a “highly sophisticated state-sponsored adversary”, on the other, says that “no 0days” or otherwise highly valuable data was stolen. Why would a nation-state APT ever bother to expose their own 0days and advanced hacking techniques to get a collection of semi-public Red Teaming tools?
A wide spectrum of vital questions likewise remains unanswered: when did this incident happen, which systems are impacted, what are the chances that clients’ data was compromised? We cannot exclude a probability that this specific incident was merely a smokescreen aimed to distract FireEye from a more important attack targeting clients’ data or ultra-confidential private research. More transparency is expected from FireEye to dispel the doubts and bring clarity.”
Mike Puglia, Chief Strategy Officer, Kaseya:
“This breach is troubling for the security industry for two reasons: how it was accomplished, and what was obtained. This was a very customized, almost surgical, strike by nation-state actors against a specific private entity that provides security for some of the world’s most sensitive information, including U.S. national defense assets. This is a major escalation of the nation-state cybercrime crisis, and it indicates that this already pernicious problem is still ramping up.
This breach also allowed bad actors to obtain extremely valuable, cutting-edge technologies used to stop cybercriminals and spies from accessing critical secure systems and data. Unfortunately, not only does snatching those tools give them the opportunity to learn precisely how to beat them, but it also gives them an advantage in beating future defensive solutions built with similar technology.”
Rick Holland, Chief Information Security Officer, Vice President Strategy, Digital Shadows:
“If a nation-state with all of its resources targets an organization, the chances are very high that the adversary will be successful. Intelligence agencies can accomplish their missions, so defenders ultimately have to fall back to detection and response. The adage, “those who live in glass houses should not throw stones,” applies here. Any organization can be compromised; it is how you respond to an intrusion that determines its severity.
Hopefully, these tools don’t make their way into the public’s hands. We have seen the damaging impact of Hacking Team and the NSA’s EternalBlue tool leaks/disclosures. If these tools become widely available, this will be another example of the attackers’ barrier to entry getting lower and lower. The bottom line here: these tools making into the wrong hands will make defenders’ lives more challenging.”
