FireEye reveals that it was hacked by a nation state APT group

Leading cybersecurity company FireEye disclosed today that it was hacked by a threat actor showing all the signs of a state-sponsored hacking group.

The attackers were able to steal Red Team assessment tools FireEye uses to test customers' security and designed to mimic tools used by many cyber threat actors.

FireEye is one of several security firms that have been compromised in similar attacks, with Trend Micro admitting to a breach in May 2019, Symantec in 2019, Avast in 2019 and 2017 [1, 2, 3], Kaspersky in 2015, and RSA Security back in 2011. Google was also hacked in 2009 by an APT group linked to China.

Attacker showed all the signs of a state-backed threat actor

"Recently, we were attacked by a highly sophisticated threat actor, one whose discipline, operational security, and techniques lead us to believe it was a state-sponsored attack," Chief Executive Officer and Board Director Kevin Mandia said in a filing with the Securities and Exchange Commission (SEC).

"Based on my 25 years in cyber security and responding to incidents, I’ve concluded we are witnessing an attack by a nation with top-tier offensive capabilities.

"This attack is different from the tens of thousands of incidents we have responded to throughout the years. The attackers tailored their world-class capabilities specifically to target and attack FireEye."

The threat actor who breached FireEye's defenses specifically targeted FireEye's assets and used tactics designed to counter both forensic examination and security tools that detect malicious activity.

The cybersecurity firm is still investigating the cyberattack with the collaboration of the Federal Bureau of Investigation and security partners like Microsoft.

So far, initial analysis of the attack supports FireEye's conclusion that the company was the victim of a "highly sophisticated state-sponsored attacker utilizing novel techniques."

State-sponsored hackers stole FireEye Red Team tools

"During our investigation to date, we have found that the attacker targeted and accessed certain Red Team assessment tools that we use to test our customers’ security," Mandia added.

"None of the tools contain zero-day exploits. Consistent with our goal to protect the community, we are proactively releasing methods and means to detect the use of our stolen Red Team tools."

The stolen tools "range from simple scripts used for automating reconnaissance to entire frameworks that are similar to publicly available technologies such as CobaltStrike and Metasploit," FireEye said in a blog post on its Threat Research blog.

However, many of them were already available to the broader security community or were distributed as part of FireEye's CommandoVM open-source virtual machine.

The Red Team tools stolen in the attack haven't yet been used in the wild based on information collected since the incident and FireEye has taken measures to protect against potential attacks that will use them in the future:

• We have prepared countermeasures that can detect or block the use of our stolen Red Team tools.
• We have implemented countermeasures into our security products.
• We are sharing these countermeasures with our colleagues in the security community so that they can update their security tools.
• We are making the countermeasures publicly available on our GitHub.
• We will continue to share and refine any additional mitigations for the Red Team tools as they become available, both publicly and directly with our security partners.

This GitHub repository contains a list of Snort and Yara rules that can be used by organizations and security professionals to detect FireEye's stolen Red Team tools when used in attacks.

Government customers' information also targeted

During the attack, the threat actor also attempted to collect information on government customers and was able to gain access to some FireEye internal systems.

"While the attacker was able to access some of our internal systems, at this point in our investigation, we have seen no evidence that the attacker exfiltrated data from our primary systems that store customer information from our incident response or consulting engagements, or the metadata collected by our products in our dynamic threat intelligence systems," Mandia explained on FireEye's corporate blog.

FireEye is a cybersecurity firm founded in 2004 with headquarters in Milpitas, California. It has over 8,500+ customers in 103 countries and more than 3,200+ employees worldwide.

Update December 09, 04:41 EST: The FBI Cyber Division's Assistant Director has issued a statement regarding the ongoing investigation of the FireEye hack:

Washington Post also reports that, according to sources, the state-backed hacking group behind the FireEye security breach is the Russian cyberespionage group APT29 (aka Cozy Bear).

This group is linked to attacks on commercial and government entities from Germany, South Korea, Uzbekistan, and the USA, including the Pentagon, the Democratic National Committee, as well as the U.S. State Department and the White House in 2014.