Who’s behind the FireEye breach?
“This attack is different from the tens of thousands of incidents we have responded to throughout the years,” Mandia shared.
“The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past.”
The attackers’ discipline, operational security, and techniques point to it being a state-sponsored attack, thought Mandia refrained from saying or speculating about which nation-state might be behind it. (According to The New York Times, the lead suspects at this moment are Russian hackers.)
The attackers accessed and stole FireEye’s Red Team tools, which the company uses to probe other organizations’ security posture to help them improve it.
“The stolen tools range from simple scripts used for automating reconnaissance to entire frameworks that are similar to publicly available technologies such as CobaltStrike and Metasploit. Many of the Red Team tools have already been released to the community and are already distributed in our open-source virtual machine, CommandoVM,” the company shared.
“Some of the tools are publicly available tools modified to evade basic security detection mechanisms. Other tools and frameworks were developed in-house for our Red Team.”
The attackers did not want just the tools – they also went after information related to FireEye’s government customers. But while they were able to access some of the company’s systems, Mandia said that they have seen no evidence of successful exfiltration of data related to incident response and consulting engagements or metadata collected by their products.
Microsoft and the FBI have been called in to help with the investigation of the FireEye breach.
They say that there is no indication that the attackers have started using the stolen tools or have leaked them.
Nevertheless, the company has created countermeasures – Snort, Yara, ClamAV rules – for detecting and/or blocking their use, shared them publicly for everyone to use, and implemented them into their own security products. They’ve also compiled a list of vulnerabilities that the tools take advantage of (none of them are “zero-days”).
What impact the breach will have on the company long-term remains to be seen. For the time being, its shares dropped 8% and they have a set of Red Team tools that can be easily foiled. Though this type of tool arsenal is continually expanded and modified, it will likely take them a while to “sharpen” it again.
Finally, though they are not the first cybersecurity company to have been breached, their reputation might suffer a hit, particularly because they are in the business of helping other organizations keep safe from cyber attackers.
The attackers, on the other hand, can consider this sortie a success: they’ve grabbed tools that they can use when they don’t want to “burn” the tools they’ve create themselves or make it obvious they are behind an attack, and they might have unearthed information that may aid in their future efforts.
Cyber defenders are now left waiting for more details about the “novel combination of techniques” used in the attack.