FireEye breach explained: How worried should you be?



Cybersecurity firm FireEye announced Tuesday that a sophisticated group of hackers, likely state-sponsored, broke into its network and stole tools the company’s experts developed to simulate real attackers and test the security of its customers. While this is a worrying development, it’s unlikely that this will result in a significant risk increase to organizations, as some offensive tool leaks did in the past.

FireEye is one of the world’s top cybersecurity firms with major government and enterprise customers around the world. The company is known for its top-notch research on state-sponsored threat actors and its incident response capabilities. Over the years it was called to investigate some of the most high-profile breaches in governments and organizations.

Who breached FireEye?

“Recently, we were attacked by a highly sophisticated threat actor, one whose discipline, operational security, and techniques lead us to believe it was a state-sponsored attack,” FireEye CEO Kevin Mandia said in a public announcement. “This attack is different from the tens of thousands of incidents we have responded to throughout the years. The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past.”

What did the FireEye attackers want?

The attackers, which the Washington Post reported are the hacking arm of Russia’s SVR foreign intelligence service, known in the security industry as APT29 or Cozy Bear, sought information related to FireEye’s government customers. The company said that at this time it hasn’t seen any evidence that customer information related to incident response and consulting engagements was stolen, but the attackers did get some of the company’s internal red team tools.

Red team is the industry term for penetration testers contracted to simulate real attacks so that defenders—the blue team—can assess the strength of the organization’s security measures, their ability to respond and the impact of potential breaches. According to FireEye, the tools that were stolen range from simple scripts for network reconnaissance to more advanced attack frameworks that are similar to other publicly available penetration testing toolkits like Metasploit or CobaltStrike, but which were developed specifically for its red team. Some of the tools are already public as part of the company’s open-source virtual machine CommandoVM or are modifications of existing open-source scripts and packages.

“The red team tools stolen by the attacker did not contain zero-day exploits,” FireEye said in a blog post. “The tools apply well-known and documented methods that are used by other red teams around the world. Although we do not believe that this theft will greatly advance the attacker’s overall capabilities, FireEye is doing everything it can to prevent such a scenario.”

Copyright © 2020 IDG Communications, Inc.


Source link