Discipline, operational security, and techniques leads to the conclusion that it was a state-sponsored attack.
Global cybersecurity company FireEye has shared details of a recent cyberattack, which has led to the theft of its Red Team assessment tools that is used test customers’ security.
In a blog by CEO Kevin Mandia, the company admitted that it had been attacked by a highly sophisticated threat actor. FireEye believes their discipline, operational security, and techniques leads to the conclusion that it was a state-sponsored attack.
“Our number one priority is working to strengthen the security of our customers and the broader community,” wrote Mandia. “We hope that by sharing the details of our investigation, the entire community will be better equipped to fight and defeat cyber-attacks.”
Mandia said the attack was by a nation with top-tier offensive capabilities and this attack is different from the tens of thousands of incidents it has responded to throughout the years.
“The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus,” he wrote.
“They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past.”
FireEye are actively investigating in coordination with the Federal Bureau of Investigation and other key partners, including Microsoft. Their initial analysis supports FireEye’s conclusion that this was the work of a highly sophisticated state-sponsored attacker utilising novel techniques.
“During our investigation to date, we have found that the attacker targeted and accessed certain Red Team assessment tools that we use to test our customers’ security,” Mandia noted. “These tools mimic the behaviour of many cyber threat actors and enable FireEye to provide essential diagnostic security services to our customers. None of the tools contain zero-day exploits. Consistent with our goal to protect the community, we are proactively releasing methods and means to detect the use of our stolen Red Team tools.”
He stated FireEye wasn’t sure if the attacker intends to use the Red Team tools or to publicly disclose them. To counter this FireEye has developed about 300 countermeasures for its customers, and the community at large, to use in order to minimise the potential impact of the theft of these tools.
“We have seen no evidence to date that any attacker has used the stolen Red Team tools,” Mandia states. “We, as well as others in the security community, will continue to monitor for any such activity. At this time, we want to ensure that the entire security community is both aware and protected against the attempted use of these Red Team tools.”
Proactive actions by FireEye includes:
- Prepared countermeasures that can detect or block the use of our stolen Red Team tools.
- Implemented countermeasures into our security products.
- Sharing these countermeasures with our colleagues in the security community so that they can update their security tools.
- Making the countermeasures publicly available in our blog post, “Unauthorised Access of FireEye Red Team Tools“.
- “We will continue to share and refine any additional mitigations for the Red Team tools as they become available, both publicly and directly with our security partners,” said Mandia.
“Consistent with a nation-state cyber-espionage effort, the attacker primarily sought information related to certain government customers.”
While the attacker was able to access some of FireEye’s internal systems, at this point in its investigation, FireEye has no evidence that the attacker exfiltrated data from its primary systems that store customer information from incident response or consulting engagements, or the metadata collected by products in its threat intelligence systems.
“If we discover that customer information was taken, we will contact them directly,” Mandia noted.
In early December 2020 FireEye announced it would work closely with Amazon Web Services (AWS) to deliver security from and for the Cloud, the help government agencies of all sizes to comprehensively secure their multi-cloud and hybrid environments.