By: Ravie Lakshmanan
FireEye, one of the largest cybersecurity firms in the world, said on Tuesday it became a victim of a state-sponsored attack by a “highly sophisticated threat actor” that stole its arsenal of Red Team penetration testing tools it uses to test the defenses of its customers.
The company said it’s actively investigating the breach in coordination with the US Federal Bureau of Investigation (FBI) and other key partners, including Microsoft.
It did not identify a specific culprit who might be behind the breach or disclose when the hack exactly took place.
However, The New York Times and The Washington Post reported that the FBI has turned over the investigation to its Russian specialists and that the attack is likely the work of APT29 (or Cozy Bear) — state-sponsored hackers affiliated with Russia’s SVR Foreign Intelligence Service — citing unnamed sources.
As of writing, the hacking tools have not been exploited in the wild, nor do they contain zero-day exploits, although malicious actors in possession of these tools could abuse them to subvert security barriers and take control of targeted systems.
Red Team tools are often used by cybersecurity organizations to mimic those used in real-world attacks with the goal of assessing a company’s detection and response capabilities and evaluating the security posture of enterprise systems.
The company said the adversary also accessed some internal systems and primarily sought information about government clients but added there’s no evidence that the attacker exfiltrated customer information related to incident response or consulting engagements or the metadata collected by its security software.
“This attack is different from the tens of thousands of incidents we have responded to throughout the years,” FireEye CEO Kevin Mandia wrote in a blog post.
“The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past.”
The accessed Red Team tools run the gamut from scripts used for automating reconnaissance to entire frameworks that are similar to publicly available technologies such as CobaltStrike and Metasploit. A few others are modified versions of publicly available tools designed to evade basic security detection mechanisms, while the rest are proprietary attack utilities developed in-house.
To minimize the potential impact of the theft of these tools, the company has also released 300 countermeasures, including a list of 16 previously disclosed critical flaws that should be addressed to limit the effectiveness of the Red Team tools.
If anything, the development is yet another indication that no companies, counting cybersecurity firms, are immune to targeted attacks.
Major cybersecurity firms such as Kaspersky Lab, RSA Security, Avast, and Bit9 have previously fallen victims to damaging hacks over the past decade.
The incident also bears faint similarities to The Shadow Brokers’ leak of offensive hacking tools used by the US National Security Agency in 2016, which also included the EternalBlue zero-day exploit that was later weaponized to distribute the WannaCry ransomware.
“Security companies are a prime target for nation-state operators for many reasons, but not least of all is [the] ability to gain valuable insights about how to bypass security controls within their ultimate targets,” Crowdstrike’s co-founder Dmitri Alperovitch said.
The release of red team tools stolen by the adversary “will go a long way to mitigating the potential impact of this intrusion for organizations all over the world,” he added.