Suspected Russian Attackers Steal FireEye Red Team Tools

Suspected Russian Attackers Steal FireEye Red Team Tools

Security giant FireEye has been on the receiving end of a sophisticated, novel attack from nation state actors looking for data on government clients, the firm has revealed.

CEO Kevin Mandia explained in a blog post yesterday that the attackers were able to access some internal systems but that there’s no evidence so far they managed to exfiltrate customer data or metadata collected by the firm’s threat intelligence systems.

However, they did manage to steal some of FireEye’s red team tools, which it uses to test customers’ security.

“We are not sure if the attacker intends to use our red team tools or to publicly disclose them. Nevertheless, out of an abundance of caution, we have developed more than 300 countermeasures for our customers, and the community at large, to use in order to minimize the potential impact of the theft of these tools,” Mandia explained.

“We have seen no evidence to date that any attacker has used the stolen red team tools. We, as well as others in the security community, will continue to monitor for any such activity.”

According to another blog from the firm, these tools range from simple scripts used for automating reconnaissance to entire frameworks that are similar to publicly available offerings like CobaltStrike and Metasploit.

Although Mandia released few details of how attackers gained a foothold in the networks of one of the world’s most high profile cybersecurity companies, he did disclose that it was likely to be a nation with “top-tier offensive capabilities.

“This attack is different from the tens of thousands of incidents we have responded to throughout the years. The attackers tailored their world-class capabilities specifically to target and attack FireEye,” he said.

“They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past.”

Reports have suggested with near certainty that the attackers were backed by the Russian state. If that’s the case, it would call to mind the Shadow Brokers attacks of 2016 which led to the capture of some powerful NSA hacking tools.

Rick Holland, CISO at Digital Shadows, argued that the stolen red team tools, which are designed to mimic the behavior of threat actors, will provide the attackers with another method to compromise government targets.

“They can reserve their top-tier tools for ‘hard targets’ like the Department of Defense and potentially leverage these new tools against ‘soft targets’ like civilian government agencies,” he added.

“The unidentified thieves could use the stolen tools to imitate other countries’ tactics, adding a new layer to protect their true identities and intentions. Stealing these tools also reduces operational costs as the nation state actors don’t have to develop new software exploits and management tools for their intrusions.”

Leave a Reply