FireEye’s ethical hacking tools stolen in state-backed attack

Attackers working on behalf of an undisclosed nation state actor – likely Russia – have compromised the systems of cyber security firm FireEye and accessed and stolen a number of the hacking tools it uses to conduct red team assessments of its customers’ security.

These tools are designed to test security by mimicking the behaviour of cyber threat actors, enabling FireEye’s consultants to provide diagnostic security services and advice to user organisations. Although no active zero-day exploits were contained within them, their theft is a source of great concern as, depending upon whose hands they fall into, they could now be used offensively by malicious actors, as opposed to ethical hackers.

To this end, FireEye said it was now proactively releasing methods and means to detect the use of its stolen tools. It already has an arsenal of over 300 countermeasures to hand for its customers, and the wider security community, to minimise the potential impact of the breach. These can be found at its GitHub repository.

Kevin Mandia, FireEye CEO, said there were a number of factors that had led him to conclude the incident was a state-backed attack, and although he did not directly point the finger at Russian actors, it was clear the attacker was backed by a nation with top-tier capabilities. He added that by being open about the incident from the outset, the security community will be better equipped to fight what may now be coming.

“This attack is different from the tens of thousands of incidents we have responded to throughout the years,” said Mandia. “The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past.

“We are actively investigating in coordination with the Federal Bureau of Investigation (FBI) and other key partners, including Microsoft. Their initial analysis supports our conclusion that this was the work of a highly sophisticated state-sponsored attacker utilising novel techniques,” he said.

“We have seen no evidence to date that any attacker has used the stolen Red Team tools. We, as well as others in the security community, will continue to monitor for any such activity. At this time, we want to ensure that the entire security community is both aware and protected against the attempted use of these Red Team tools.”

Mandia noted that, consistent with nation state cyber espionage efforts, FireEye’s attackers seemed to be mainly seeking information on its government customers. He went on to state that while they did access some of the firm’s internal systems, there was – as yet – no evidence that any customer data or information from its incident response or consulting practice, or metadata from its threat intelligence systems, has been compromised. If this changes, relevant customers will be informed.

“Every day, we innovate and adapt to protect our customers from threat actors who play outside the legal and ethical bounds of society,” said Mandia. “This event is no different. We’re confident in the efficacy of our products and the processes we use to refine them. We have learned and continue to learn more about our adversaries as a result of this attack, and the greater security community will emerge from this incident better protected. We will never be deterred from doing what is right.”

The attack on FireEye is a highly significant incident reminiscent of the Shadow Brokers attacks on the US National Security Agency (NSA), which ultimately resulted in the theft of the exploits used in the devastating WannaCry attacks of May 2017.

The group went on to establish a subscription service for the purloined zero-day exploits, and there has been widespread speculation already that the FireEye incident may result in a similar outcome.

The attack also serves as a near-perfect demonstration of the fact that even with the optimum security controls and watertight policies in place, organisations have no control over whether or not they fall victim to a cyber attack – moreover, that there is no shame in being open and transparent about them.