A company that tries to help customers ward off cyberattacks was itself the victim of an attack, and one seemingly carried out by a nation-state. On Tuesday, security firm FireEye revealed that it was hit by a state-sponsored cyberattack through which the attackers stole its Red Team tools, a collection of scripts, scanners, and techniques used to train clients on how to improve their security defenses.
SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)
“Based on my 25 years in cyber security and responding to incidents, I’ve concluded we are witnessing an attack by a nation with top-tier offensive capabilities,” FireEye CEO Kevin Mandia said in the blog post. “This attack is different from the tens of thousands of incidents we have responded to throughout the years. The attackers tailored their world-class capabilities specifically to target and attack FireEye.”
Mandia referred to the attackers as highly trained in operational security and the attack itself as carried out with discipline and focus. The attackers operated clandestinely using tactics that counter security defenses and examination, and ones that Mandia said were not seen by FireEye or its partners before.
Mandia said that FireEye is investigating the incident with help from the FBI and key partners such as Microsoft. Their preliminary findings also point to the culprit as a sophisticated state-sponsored attacker who used novel techniques.
The attacker targeted and stole specific Red Team assessment tools used to analyze the security of FireEye customers. Red Team tools are designed to replicate the behavior of actual cybercriminals to simulate a real attack. To thwart this simulated attack, an organization uses a Blue Team as a way to test and bolster its internal defenses.
“FireEye’s tools are essentially real-world malware that were used to ‘pen-test,’ or probe for vulnerabilities of real-world clients,” Kevin O’Brien, CEO and co-founder of email security provider GreatHorn, told TechRepublic. “Having that toolkit get stolen by a nation-state is fundamentally different from having it stolen by a private threat actor: A nation-state actor operates on longer timelines (months or years), and uses technology like this to develop hyper-targeted novel attacks.”
The question now is how will the attackers take advantage of the stolen Red Team tools?
Mandia said he isn’t sure whether the attackers will use the tools or publicly disclose them. Noting that private actors sell tools, O’Brien believes that these nation-state actors are more likely to use the tools for sophisticated attacks on major infrastructure targets, such as healthcare systems, military targets, and industrial control systems.
Government agencies may also be at risk, especially since Mandia revealed that the attacker specifically went after information related to certain government customers.
“The stolen tools give the attackers another method to compromise government targets,” said Rick Holland, chief information security officer at security firm Digital Shadows. “They can reserve their top-tier tools for ‘hard targets’ like the Department of Defense and potentially leverage these new tools against ‘soft targets’ like civilian government agencies. The unidentified thieves could use the stolen tools to imitate other countries’ tactics, adding a new layer to protect their true identities and intentions.”
In response to the theft of the Red Team tools, Mandia said that none of them contain any zero-day exploits, which could be employed to compromise computers and networks. He also said that FireEye hasn’t yet seen any evidence that an attacker has used these tools. But Mandia added that the company has deployed 300 countermeasures both for its customers and the community at large, including the following:
- “We have prepared countermeasures that can detect or block the use of our stolen Red Team tools.
- We have implemented countermeasures into our security products.
- We are sharing these countermeasures with our colleagues in the security community so that they can update their security tools.
- We are making the countermeasures publicly available in our blog post, “Unauthorized Access of FireEye Red Team Tools.”
- We will continue to share and refine any additional mitigations for the Red Team tools as they become available, both publicly and directly with our security partners.”
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued its own advisory in response to the attack, urging cybersecurity professionals to review FireEye’s two blog posts (“FireEye Shares Details of Recent Cyber Attack, Actions to Protect Community” and “Unauthorized Access of FireEye Red Team Tools“) for more information and FireEye’s GitHub repository for detection countermeasures.
“Hopefully, these tools don’t make their way into the public’s hands,” Holland said. “We have seen the damaging impact of Hacking Team and the NSA’s EternalBlue tool leaks/disclosures. If these tools become widely available, this will be another example of the attackers’ barrier to entry getting lower and lower. The bottom line here: These tools making into the wrong hands will make defenders’ lives more challenging.”